NEWS
NEWS
NEWS
Zomato hacked by white hat, who was nice enough to let them know
Online restaurant review site Zomato Media Ptv Ltd, the owners of the service previously known as Urbanspoon, have been hacked by a white hat who thankfully for Zomato contacted them with details of the vulnerability.
Along with private user details of Zomato users, the exposed data also included Instagram access tokens, which would give access to private photos on Instagram.
The hacker, who goes by the name Anand Prakash, published the details of the vulnerability on his Blogger blog, detailing how it works:
While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the “browser_id” parameter in the API request. Interestingly, changing the “browser_id” sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.
He goes on to explain how Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input.
“As a result of this vulnerability,” he notes, “attackers can bypass authorization and access resources in the system directly, for example database records or files.”
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
The good news is that after the discovery Prakash contacted Zomato with the details, and he claims that it was quickly patched.
Timely reminder
While Tech In Asia claims that this case, along with others may be representative of Indian startups taking security for granted (possibly an exaggeration) it is a timely reminder for companies globally to take more care when it comes to security, particularly companies such as Zomato who have tens, sometimes hundreds of millions of registered users.
That said, Zomato failing to protect against an Insecure Direct Object References hack is lazy to say the least, and it’s a problem that companies were experiencing ten years ago, and shouldn’t be in 2015.
At the time of writing Zomato has not publicly commented.
Image credit: adulau/Flickr/CC by 2.0
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
