Multiple bugs in Indian startups from users data leak, user account access to free orders.
UPDATE (23 Oct): We have discovered bugs in 4 more startups last week, almost all of them on their way to become a unicorn. We will post the details on our blog when the respective bugs are fixed.
Why write this post?
We disclosed the bugs responsibly to the top execs of the respective startups. Some of the startups acted swiftly, others needed multiple emails but unfortunately, some did not reply even after repeated emails, putting sensitive user data and some VC money at risk. Some of the bugs were somewhat trivial and any decent engineer can get your personal data and sell it to brokers in the grey market.
This post is to draw the attention of companies who have still not responded. Maybe social media can help. To be clear, we just discovered existing security vulnerabilities and informed the companies involved. We did not try or intrude into anyone’s external or internal systems.
Our criteria for selecting startups to test
We could not check all startups for bugs due to a shortage of time. We included startups who have raised more than $10 million or are worth more than $100 million. In the context of India, $100 million is a lot of money since the biggest startup acquisition that has happened in India was of Freecharge for $400 million. All of the companies are consumer startups whose service are being used by thousands of people every day.
Most of the bugs were logic flaws which ideally should have been caught at the whiteboard stage. These cannot be detected using automated vulnerability scanners that can work for stuff like SQL injection and XSS. Frankly speaking, we did not try to check for XSS or SQL injection comprehensively since there were so many other bugs that we discovered.
We checked 18 startups for security vulnerabilities. Out of these, we discovered bugs in 11. The most serious among them was user data leak which happened in 5 of them for a total of around 2,650,000 users. The leaked data included addresses, phone numbers, emails, order history and surprisingly, unsalted password hashes in two of them. There were bugs related to online payments in four of them due to which we could order some test stuff from all of the startups. There were authentication issues in two startups, one in the way social login were implemented and other in the implementation of OTPs leading to access to anyone’s account if you know their email address. One startup probably had an HTML sanitization code that did not work on recursive XSS test strings leading to the Nginx server forever waiting for the application server to respond until the timeout kicked in. This can be exploited to bring down the server with some effort. There was a reflected XSS on a desktop version of website of a startup which could be exploited for example by sending an email containing some offer code and asking them to login on the link on the startup’s domain that looks exactly similar as login page and get their passwords. Some mobile browsers have even stopped showing the full URL and this would help the purpose.
We are also investigating a potential bug in a payment gateway provider that is used as one way to process online payments by almost all Indian startups.
How startups responded (or not)
We are currently a team of 2 people Manish & Abhishek. We have previously worked at large internet companies, tiny startups and huge enterprise web product companies. We are working full-time on creating Fallible, a product that helps startups secure their systems We continuously monitor your setup including external APIs, apps for bugs and server logs for intrusion detection and perform a security assessment whenever we detect code changes in production. We automate as much as possible with existing tools and develop our own when required. We do manual checks wherever necessary (logic flows, payments). We also work with external security researchers who find bugs in your system and dole out suitable bounties to keep them interested. We have already signed up couple of potential unicorns and are looking out to help more startups. Our plans start at $1400/month, billed annually. Checkout the pricing and features here https://fallible.co/pricing or contact us at hello@fallible.co for a free scan of your mobile apps. If you are working on a startup and are in Bangalore we would love to meet you, just drop a word on the mail above.