Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com

A CL.TE HTTP request smuggling vulnerability was discovered on api.zomato.com due to inconsistent parsing of Transfer-Encoding and Content-Length headers between Akamai (frontend) and backend servers. By exploiting this desync using a malformed Transfer-Encoding:\\tchunked header, an attacker could poison backend requests and force victim connections to redirect to attacker-controlled endpoints. This enabled theft of X-Access-Token headers at scale, leading to full account takeover and mass PII exposure. The issue was patched at the Akamai layer and affected tokens were revoked. This summary was generated by AI