paint-brush
How a startup pivot led to users data leak vulnerabilityby@fallible
341 reads
341 reads

How a startup pivot led to users data leak vulnerability

by FallibleFebruary 11th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

We have a rather interesting data leak story to share. The company having the vulnerability has more than 5 million users. One of the API endpoints could be used to iterate over all users data including name, phone umbers, email addresses, profile picture, user metadata and saved physical address. The data leak looks fixed now but we have been unable to receive a response or confirmation from them so that we could share this post with them as requested before publishing.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How a startup pivot led to users data leak vulnerability
Fallible HackerNoon profile picture

We have a rather interesting data leak story to share. The company having the vulnerability has more than 5 million users. One of the API endpoints could be used to iterate over all users data including name, phone umbers, email addresses, profile picture, user metadata and saved physical address. The data leak looks fixed now but we have been unable to receive a response or confirmation from them so that we could share this post with them as requested before publishing.

Data leaks in consumer tech companies effectively exposes their users to a variety of issues including identity theft, physical scams, spam and even threats. There was a recent incident of prepaid mobile recharge shops in India selling phone numbers of random women for money. Phone numbers also enable search on Facebook.

Here is the complete email we sent to disclose the vulnerability along with the technical details. (The extra HTTP headers for 3rd party services in the curl request have been removed and auth tokens changed. We have also removed the curl response with users personal data.) The API uses a JSON Web Token (JWT) for authentication that is possibly consumed in apps being used before the pivot. Post pivot, the company added another JWT for newer apps but kept on using the earlier code to fetch authenticated user-id from the old token leading to open access to all user data. The JWT when decoded contains the following data, with the id being a small integer that can be iterated and new tokens created to fetch corresponding user data.

{“user_name”:null,”id”:XXXX,”mobile”:”YYYYYYYYYY”,”expires”:180558878080}

Hi Founder,

We have researched a security vulnerability in your API used by mobile apps that exposes your users personal data including possibly email, phone numbers, name and address. Here are the technical details to reproduce the issue. We are assuming to support both Akosha and Helpchat clients through the same API, two JWT Auth tokens are being used with only the Akosha one being verified but the authenticated userid for this endpoint is being extracted from the Helpchat token. The userid in the Helpchat token can be changed and a script enumerating all user ids can be used to fetch all user data. A sample data extracted is shown below the curl request.

Please do let us know when you fix this.

Regards,

XXXXXX

https://fallible.co

curl -H ‘Host:api.helpchat.in’ -H ‘User-Agent:helpchat/3.2.1.1 CFNetwork/808.0.2 Darwin/16.0.0’ -H ‘X-HELPCHAT-AUTH:eyJ1c2VyX25hbWUiOm51bGwsImlkIjpYWFhYWFhYWFgsIm1vYmlsZSI6IlhYWFhYWFhYWFgiLCJleHBpcmVzIjoxODAwNRc4=.ODc4MDgwfQUzaVoPFAQsLwsHTjxC0YA=’ -H ‘Connection:keep-alive’ -H ‘X-APP-VERSION:3.2.1.1’ -H ‘X-AKOSHA-AUTH:eyJ1c2VyX25hbWUiOm51bGwsImlkIjpYWFhYLCJtb2JpbGUiOiJZWVlZWVlZWVlZIiwiZXhwaXJlcyI6MTgXMDU1ODg3ODA4=.MH0FM2laDxQELC8LB048QtGA’ -H ‘Accept-Language:en-us’ -H ‘Accept:application/json’ -H ‘Content-Type:application/json’ -H ‘Accept-Encoding:application/json’ ‘https://api.helpchat.in/consumers/v1/customers/me/'

Mail responses:

#1

#2

#3

#4

This was the last email we sent on 10 Feb 2017 asking if a fix has been applied. We have not received a response yet but have verified that the bug has been fixed. This sad practice of not communicating at all with security researchers or not allowing a public disclosure after fix is sadly more prevalent in South Asia than other mature markets. We sincerely hope the companies become more aware and at-least inform their users of the security issues.