Before you deep dive in the technical information, I wish to confirm that this vulnerability has been FIXED. Thanks to PAYTM for taking a quick action. Looking forward for such quick response on security concerns. Kudos!

Don’t get this wrong. I wish to share a vulnerability that can be leveraged by attackers to perform/ initiate a spear phishing attack. The website in discussion is paytm.com. There is an information disclosure vulnerability in the main website, and an un-authenticated user can query for a mail address against a mobile number. It means, if you have a mobile number of a person who is a member of paytm, you can find his registered email address on the website. Join these 2 elements, and you can send a targeted email to the victim. Let us dive straight into it. paytm uses the following link as the login page, URL: https://hub.paytm.com/user/authenticate