How a startup pivot led to users data leak vulnerability

Written by fallible | Published 2017/02/11
Tech Story Tags: api | security | technology | cybersecurity | startup

TLDRvia the TL;DR App

We have a rather interesting data leak story to share. The company having the vulnerability has more than 5 million users. One of the API endpoints could be used to iterate over all users data including name, phone umbers, email addresses, profile picture, user metadata and saved physical address. The data leak looks fixed now but we have been unable to receive a response or confirmation from them so that we could share this post with them as requested before publishing.

Data leaks in consumer tech companies effectively exposes their users to a variety of issues including identity theft, physical scams, spam and even threats. There was a recent incident of prepaid mobile recharge shops in India selling phone numbers of random women for money. Phone numbers also enable search on Facebook.

Here is the complete email we sent to disclose the vulnerability along with the technical details. (The extra HTTP headers for 3rd party services in the curl request have been removed and auth tokens changed. We have also removed the curl response with users personal data.) The API uses a JSON Web Token (JWT) for authentication that is possibly consumed in apps being used before the pivot. Post pivot, the company added another JWT for newer apps but kept on using the earlier code to fetch authenticated user-id from the old token leading to open access to all user data. The JWT when decoded contains the following data, with the id being a small integer that can be iterated and new tokens created to fetch corresponding user data.

{“user_name”:null,”id”:XXXX,”mobile”:”YYYYYYYYYY”,”expires”:180558878080}

Hi Founder,

We have researched a security vulnerability in your API used by mobile apps that exposes your users personal data including possibly email, phone numbers, name and address. Here are the technical details to reproduce the issue. We are assuming to support both Akosha and Helpchat clients through the same API, two JWT Auth tokens are being used with only the Akosha one being verified but the authenticated userid for this endpoint is being extracted from the Helpchat token. The userid in the Helpchat token can be changed and a script enumerating all user ids can be used to fetch all user data. A sample data extracted is shown below the curl request.

Please do let us know when you fix this.

Regards,

XXXXXX

https://fallible.co

curl -H ‘Host:api.helpchat.in’ -H ‘User-Agent:helpchat/3.2.1.1 CFNetwork/808.0.2 Darwin/16.0.0’ -H ‘X-HELPCHAT-AUTH:eyJ1c2VyX25hbWUiOm51bGwsImlkIjpYWFhYWFhYWFgsIm1vYmlsZSI6IlhYWFhYWFhYWFgiLCJleHBpcmVzIjoxODAwNRc4=.ODc4MDgwfQUzaVoPFAQsLwsHTjxC0YA=’ -H ‘Connection:keep-alive’ -H ‘X-APP-VERSION:3.2.1.1’ -H ‘X-AKOSHA-AUTH:eyJ1c2VyX25hbWUiOm51bGwsImlkIjpYWFhYLCJtb2JpbGUiOiJZWVlZWVlZWVlZIiwiZXhwaXJlcyI6MTgXMDU1ODg3ODA4=.MH0FM2laDxQELC8LB048QtGA’ -H ‘Accept-Language:en-us’ -H ‘Accept:application/json’ -H ‘Content-Type:application/json’ -H ‘Accept-Encoding:application/json’ ‘https://api.helpchat.in/consumers/v1/customers/me/'

Mail responses:

#1

#2

#3

#4

This was the last email we sent on 10 Feb 2017 asking if a fix has been applied. We have not received a response yet but have verified that the bug has been fixed. This sad practice of not communicating at all with security researchers or not allowing a public disclosure after fix is sadly more prevalent in South Asia than other mature markets. We sincerely hope the companies become more aware and at-least inform their users of the security issues.

Published by HackerNoon on 2017/02/11
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy