The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or clickhereto continue anyway

Bug#2 Order anything for free on BigBasket · Fallible Blog

Bug#2 Order anything for free on BigBasket

10 Oct 2015

This bug is a part of the vulnerabilites we discovered in 11 Indian startups worth $3 billion+ in a week.

Company: BigBasket is an online grocery shopping startup based out of India. Valuation: $180 million+ Bug: You just need to make a valid transaction once on Bigbasket (even cancel that order afterwards) and then use that transaction id infinite number of times. Note that the integer part of amount of the orders needs to be the same. This was due to a missing unqiue constraint on the transaction id which was being assigned to different order ids.

Their response

BigBasket was responsive in their communication and their CTO along with VP Tech constantly keeping us updated and were quick to fix the bug. They even offered a token bounty of 5000 rupees in BigBasket credits, which we have not accepted.


Please be extra careful while designing your database schemas and APIs, any obvious unique contraints should not be missed.

Continue reading on