So, a few days back I ordered some medicine from Apollo247 for my mother. After that, they sent a confirmation message with a link for their digital bill. When I opened the link, I noticed that the link uses an ID to retrieve the bill data using API.
The concern is anyone can give any random ID (7 digits) and receive the data of their random customer. The data that is showing in the bill are: Customer name, Doctor name, Customer Mobile number, Bill number, Purchase date, Purchase item and price and many more.
API LINK: https://onlineapi.apollopharmacy.org/billgeneration/index/index/id/{7 digits id}
Here how it works:
