Bengaluru: Over the last two months, a security researcher has unearthed security flaws in at least four consumer internet platforms including—online fashion and beauty retailer Nykaa, two-wheeler rental platform Bounce, furniture e-tailer Pepperfry, and local search engine Justdial—which has potentially put data of millions of customers at risk, even as companies rushed to fix them.
Bengaluru-based security researcher Ehraz Ahmed said the security flaws have exposed personal sensitive data of at least 200 million customers. The most common flaw among these apps were defective application programming interfaces (APIs)—a set of code that allows an application to communicate with databases and also to fetch information within the application environment.
In one of the latest API flaws detected by Ahmed, Nykaa Fashion’s internal API allowed a potential attacker to log in to any user account in case the attacker had access to a user’s email ID. Once the user ID is hijacked, sensitive information such as address, phone numbers and cart order list were at risk of being stolen. According to Ahmed, hackers or even telemarketers can use the flaw to mine for data of Nkyaa users. As per Play Store data, the Nykaa Fashion app had around 500,000 installs.
However, Nykaa Fashion fixed the flaw after being notified by Mint and Ahmed. “We were apprised of a security flaw in one of the APIs of Nykaa Fashion platform, which was rectified by the Nykaa Fashion team immediately. We would like to state that no financial data was breached,” Sanjay Suri, Chief Technology Officer, Nykaa said responding to Mint’s queries.
Ahmed explains that most consumer apps have an API meant forauthenticating users using credentials such as email ID, phone numbers or a user name. After the user inputs their credentials, the API responds back with a “response token” stating whether the provided credentials have matched or not, following which the user is authenticated and logged in. In all the security flaws unearthed by Ahmed, namely Bounce, Pepperfry, Justdial, and Nykaa, the API could be tampered with a loophole, allowing a potential attacker to generate a positive response token.
However, the four companies mentioned above said that they immediately fixed the flaws once they were notified, and most claim to have dedicated data security team in place. In case of two-wheeler rental platform Bounce, a potential hacker could bypass into a user account provided the attacker had access to a user’s phone number. Sensitive information, such as driving license details, selfies, phone number, email IDs, and even linked Paytm IDs were exposed, according to Ahmed’s research.
Bounce’s chief executive Vivekananda Hallekere said “the bug (API flaw) does not allow any direct access to the app, therefore any exploitation will require the impersonator to make multiple API calls to recreate the bike booking process without the app, requiring deep programming expertise.”
Hallekere publicly tweeted on Wednesday stating that the company launched an investigation into the API flaw, after which it fixed the vulnerability.
The biggest flaw unearthed by Ahmed was from local search platform Justdial in October, which exposed customer data of 150 million registered users due an erroneously programmed API. Justdial, however, plugged the flaw after being notified. The company did not respond to Mint’s queries until press time.
At least two cybersecurity lawyers and experts that Mint spoke with point out those data security policies globally do not address API security standards, and that the onus of securing APIs is up to the company. Nevertheless, in case a consumer app is discovered to have data stolen on breached, Indian laws do not mandate disclosure to users or the government. Experts say that the proposed privacy bill by the ministry of IT should mandate such disclosures.
“APIs are usually exploited not to capture data (although you can)…they are usually exploited to mess with (network) systems. For example, a hacker can utilize open source APIs of a bank to mess with their system or overload it with requests,” said Mathew Chacko, Partner at SpiceRoute legal which advises companies on cyber security and M&As.
Chacko added that although APIs can be used to steal data, it can be complicated since after bypassing an API program an attacker needs to access the database which stores sensitive information, stored behind multiple layers of encryption. “To make an API 100% secure is difficult. But to make it 99% secure is possible. Most API security flaws mentioned are very basic, and not complicated a simple penetration testing could have fixed it. It’s basically lack of diligence,” he added.
According to him fintechs and banks usually have a standalone security team for data security testing, while e-commerce firms have also started adopting data security protocols. “But a vast majority of logistics and mobility players have no dedicated data security teams. All they have to do is to keep an effective bug bounty program…if online products don’t have a bug bounty program on their website, chances are that they don’t focus on data security,” he added.