Flaws in code put customer data of four consumer internet platforms at risk

Bengaluru-based security researcher Ehraz Ahmed said the security flaws have exposed personal data of at least 200 million customers. The most common flaw among these apps were defective application programming interfaces (APIs)—a set of codes that allows an application to communicate with databases and fetch information within the application environment.

In one of the API flaws detected by Ahmed, Nykaa Fashion’s internal API allowed a potential attacker to log in to any user account if the attacker had access to the user’s email ID. Once the user ID is hijacked, sensitive information were at risk of being stolen. According to Ahmed, hackers or even telemarketers can use the flaw to mine data of Nykaa users. According to Play Store data, the Nykaa app has around 500,000 installs.

However, Nykaa Fashion fixed the flaw after being notified by Mint and Ahmed. “We were apprised of a security flaw in one of the APIs of Nykaa Fashion platform, which was rectified by the Nykaa Fashion team immediately. We would like to state that no financial data was breached," Sanjay Suri, chief technology officer, Nykaa said responding to Mint’s queries.

Ahmed explains that most consumer apps have an API meant for authenticating users using credentials such as email ID, phone numbers or a user name. After the user inputs their credentials, the API responds back with a “response token" stating whether the provided credentials have matched or not, following which the user is authenticated and logged in. In all the security flaws unearthed by Ahmed, the API could be tampered with a loophole, allowing a potential attacker to generate a positive response token.

However, the four companies mentioned above said that they immediately fixed the flaws once they were notified, and most claim to have dedicated data security teams in place. In case of two-wheeler rental platform Bounce, a potential hacker could bypass into a user account provided the attacker had access to a user’s phone number. Sensitive information, such as driving license details, phone number, email IDs, and even linked Paytm IDs were exposed, according to Ahmed’s research.

Bounce’s CEO Vivekananda Hallekere said that “the bug does not allow any direct access to the app, therefore any exploitation will require the impersonator to make multiple API calls to recreate the bike booking process without the app, requiring deep programming expertise." He tweeted on Wednesday that the company has launched an investigation into the API flaw and fixed the vulnerability.

The biggest flaw unearthed by Ahmed was from local search platform Justdial in October, which exposed customer data of 150 million registered users due to an erroneously programmed API. Justdial, however, plugged the flaw after being notified. The company did not respond to Mint’s queries until press time.

At least two cybersecurity lawyers and experts that Mint spoke to said data security policies do not address API security standards, and that the onus of securing APIs is on the company. Nevertheless, in case a consumer app is discovered to have data stolen or breached, Indian laws do not mandate disclosure to users or the government. Experts said the proposed privacy bill by the ministry of IT should mandate such disclosures. “APIs are usually exploited not to capture data (although you can)…they are usually exploited to tamper with (network) systems. For example, a hacker can utilize open source APIs of a bank to tamper with their system or overload it with requests," said Mathew Chacko, Partner at SpiceRoute legal which advises companies on cyber security and M&As.