Story of an IDOR with insecure API but responsible disclosure that saved millions of users data. (Lovely 5k$)
During one of my routine explorations of public Chrome extensions, I stumbled upon a chain-owned extension belonging to a popular Asian coffee delivery platform. The extension, designed for quick order access, included preconfigured API endpoints and a hardcoded authorization key.
Press enter or click to view image in full size
Most developers assume Chrome extensions are harmless. But once installed, they’re just ZIP archives — any resource, including JavaScript and config files, is easily accessible.
According to Google’s Chrome Web Store Developer Program Policies, extensions must not expose sensitive credentials or grant unauthorized access to user data. This incident clearly violated those rules, and the extension was voluntarily taken down within days of the report.
Cases like this may also highlight why Google has been moving away from Chrome Apps entirely — the end of support for Chrome Apps has been gradually rolling out, with full deprecation planned across all platforms. You can read more about that in Google’s official announcement. 🥹