security concern-website able to fetch my zerodha ccount details without asking for any permissions

naz edited June 2018 in General
@sujith @Kailash : how is any website ( able to fetch our account details without even asking for permissions from us. This, to me, is a security breach and would request your clarification/advice on the same. (screen shots attached below)

I went to the website above and clicked on the button with the name "Buy the basket @ Exact 9.21 AM". To my surprise, the website was able to directly fetch my client ID, show me as logged-in and requested for placing the order - without even asking any permissions from me and without me authorizing for anything.
I wonder if tomorrow, it can automatically place orders as well or for that matter anything with the trading account !!!

How is any website able to fetch our account details without our permissions or authentication when our account details are allegedly secured at your servers. This looks to be a breach of security and data privacy.
Please advise and clarify.

Stage-1 Screenshot ( (attached)

Stage-1 as soon as someone clicks on the button ""Buy the basket @ Exact 9.21 AM"" (attached)

  • tonystark
    Hi @naz,

    The popup window shown is actually Kite not the above-mentioned website (see the address bar of the popup window). It is showing your user id because you were already logged in to Kite, maybe in another tab.

    Also, the website won't be able to access any information in that popup or do any actions on your behalf because of various security features(like CORS) implemented in browsers.
  • naz
    @tonystark I understand that. But It should be asking for login permissions or authentication first and then once I provide authorization, it should take me to these pop-ups.
    I have never once faced any situations where no authorization/authentication was needed by a third party website before showing me a logged-in pop-up or a different URL.
    Even zerodha's own affiliated products like coin, varsity, smallcase etc. request for permission/authentication when you try to open that from zerodha's top right drop down menu (even if one is already logged-in to kite).

    May be I am being a bit sceptical here but this doesn't instill much confidence.
  • tonystark
    Hi @naz,

    I understand your concern. You can compare this with how Facebook share buttons and Tweet buttons work in websites. And all of them don't perform the action automatically, it asks for the user consent before the action.
  • naz
    @tonystark Thanks, makes sense.
This discussion has been closed.