July 6, 2026
How I Learned My Friend’s Favorite Lipstick Shade Without Asking — Compromising a Fashion Brand
No, It’s not mentalism!

By Krishnadev P Melevila
3 min read
Heyy guyz! I am back with a new writeup.
Yes, I know you need to know how I was able to know my friends favorite lipstick shade. Is it? Yes, You heared it right!!
Read the article without subscription here: https://krishnadevpmelevila.medium.com/how-i-learned-my-friends-favorite-lipstick-shade-without-asking-compromising-a-fashion-brand-d6d51992d1ef?sk=ccced076acf260c4435677261222e75b
DISCLAIMER: The application/website which I engaged with, cannot be disclosed here, and also all the endpoints, tokens, PIIs, Secrets, Emails, all and all is created for the sake of this writeup only and actual details/scenario can't be disclosed as per the RVDP guidelines of the program.
Let's Start!
So, It begin with a random thought in a random morning!
How beautiful the world would be if we had the superpower to understand others' needs and interests.
We'd never wonder what gift to buy for a birthday. We'd know exactly how to encourage someone on a difficult day, celebrate their quiet victories, support them without being asked, and make them feel truly seen and understood.
Heyy Wait wait wait!! I know some people who have this super power!!!
Yes, It is none other than the e-commerce applications/websites that we are using in our day-day life.
We all have that habit of adding products we like to our wishlist, even when we have no plans to buy them anytime soon.
So what if we are able to get this whishlist data?
That's the catchpoint for this attack! Now lets talk something technical!
Let's Jump
The attack was relatively simple. We first logged into a legitimate account on the platform and then exploited a horizontal privilege escalation vulnerability. This enabled us to impersonate another user, resulting in account takeover and access to their private wishlist.
Steps to reproduce in attackers POV:
- Login to the platform with a valid username/password
- The platform was using a JWT token based authentication
- So, after login, we will get a JWT token. As you all know JWT token contains 3 parts:
-
Here I changed the uid parameter and encoded back the token and send a new request to /whishlist/v1/get endpoint.
-
WOW!! I got my friend's Whishlist!!!! ( Hypothethical, It needs some more time to get the exact uid of my friend. — We can use tools like burp intruder to get the exact uid)
So this is how it ended., Now I know the products my friend will be buying in near fututre, So I can gift it for his/her bday.
Heyy! Just kidding, The real impact is way more than we think.
Since the application failed to properly validate the JWT signature, an attacker could modify the token payload and assume the identity of another user. Once authenticated as the victim, any functionality that relied solely on the JWT claims became accessible.
Depending on the application's implementation, this could allow an attacker to:
- Access another user's profile and personal information.
- View private wishlists and shopping preferences.
- Read saved addresses and contact details.
- Access order history and purchase patterns.
- View or modify account settings.
- Abuse loyalty points, coupons, or promotional benefits.
- Perform actions on behalf of the victim.
- Potentially take over any account by simply forging a valid-looking JWT.
In other words, the vulnerability was not limited to a single endpoint. The wishlist endpoint merely served as proof that the authorization model trusted user-controlled JWT claims without verifying their integrity.
This is why JWT signature validation is so critical. A JWT should never be trusted unless its signature has been successfully verified. Skipping this step effectively allows attackers to create their own identities within the application.
Fortunately, the issue was responsibly disclosed through the organization's bug bounty program, acknowledged by the security team, and remediated before this write-up was published.
— — —
Don't forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that's my inspiration to write more!!
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/