This is a very very major violation of the law done by lenskart.com wherein the personal data of all its customers is compromised including account details and all other details of personal and financial nature. I was about to complete a purchase on lenskart.com, while logged in to my lenskart account with my login credentials, and about to checkout when I get an error message saying that my cart is empty, was redirected to the homepage and next I see I am logged in to the account of some random person, in some other corner of this world, and my order, with my optical power is processed through that person’s account and I can view all the personal and private details of that person which includes his full name, email address, his address, his phone number, his date of birth, his purchase history, his orders, financial information, etc. Since then, every time I log in with my credentials on lenskart.com, I am logged in to the account of a distinct stranger altogether everytime making me access all information of that person.
I believe this is because of wrong query parsing at the server side or the fact that no distinct tokens are generated for distinct sessions and all simultaneous sessions are given the same token id at the server end. But this is a case wherein I can see other peoples personal data and can log into their account and do anything I want(with me not having such intentions), similarly others can see my data and other peoples’ data as well and everybody’s intentions may not be good. This is against law and against the privacy policy and terms of use they boast about on their website. For obvious security reasons I cannot share screenshots of the same here but I obviously do have them and this is a very very horrible management of an online e-commerce website and definitely a criminal offense.
What is worse is that I have raised this as a concern with their support center about 27 hours back with ticket id #214166 and as I see the status, this ticket is not even assigned a support agent and the problem is still continuing. They just dont care about a matter of such grave importance. They just dont care.
Our personal data is mismanaged by lenskart.com compromising it that it may fall in wrong hands or anybody can do anything from our accounts. I do intend to take legal recourse in the said regards because first they do not action on whistle blowers, don’t care about the data integrity and violently breaking law making all our critical data be exposed to the world wherein they by their own terms of use are not supposed to and even by law they are not supposed to.
I would suggest all of you to stop making financial or personal transactions or interchange on this website because you might be the next victim of your data being exposed to all strangers.