The site having 300 million active users from almost all over the world suffers from information disclosure vulnerability that puts millions of users' information at risk.
An Israeli application security researcher Amitay Dan has discovered a critical vulnerability on Ali Express, The Researcher has reported the flaw to Ali Express and also provided the full disclosure of the vulnerability to Israel media and THN.
For a better explanation of the bug, Amitay has provided a video demonstration of the vulnerability which explains the details information about the flaw.
Due to some reason, demonstration video of the vulnerability has been deleted
According to the video Proofs-Of-Concept of the flaw, Ali Express allows logged users to add/update their shipping address and contact number at the following URL i.e. http://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailingAddressId=123456
and here 123456 is the user ID. Researcher Amitay has changed the value of the mailingAddressId parameter with random digits, and this manipulation of the user's ID leads to the exposure of the user's information.
Ali Express site failed in validation and thus shows the respective users' details on the same page. This was simple but was very critical as attackers can grab the personal information of millions of users just by randomly changing the User ID.