



For better explanation of the bug Amitay have provided a video demonstration of the vulnerability which explain the details information about flaw.

According to the video Proof-Of-Concepts of the flaw, Ali Express allows logged in user to add/update their shipping address and contact number at the following URL i.e. http://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailingAddressId=123456

and here 123456 is the user Id. Researcher Amitay have changed the value of the mailingAddressId parameter with random digits, and this manipulation of the users ID leads to expose of the users information.

Ali Express site failed in validation and thus shows the respective users details on the same page. This was simple but was very critical as attacker can grab personal information of millions of users just by randomly changing the Users ID.

One of the popular E-Commerce website AliExpress which is owned by Alibaba.com suffers from a simple but critical Users information disclosure vulnerability. The vulnerability critical as it can expose any user's information without have the victim's account passwords.Site having 300 million active users from almost over the world suffers from information disclosure vulnerability that puts million of users information under risk.An Israeli application security researcher Amitay Dan have discovered the critical vulnerability on Ali Express, Researcher have reported the flaw to Ali Express and also provided the full disclosure of the vulnerability to Israel media and THN.