Droom security flaw risked banking details of millions
A mere few days after Airtel, Droom, India's leading marketplace for selling used vehicles, has landed into security troubles. The platform, which has grown progressively over the last few years, had a critical security flaw that was found to be risking personal and financial details of millions of people. Thankfully, the glitch has now been fixed by the company. Here's all about it.
Bug leaking personal details, financial information
First discovered by security-researcher Sayaan Alam, the bug in question was associated with the misconfiguration of the Facebook sign-in API used on Droom's site. Alam said that any threat actor could have used the email of a Droom user to exploit the misconfigured API and gain access to all account information, starting from address and mobile number to Aadhaar, PAN, and bank account number.
Attacker could have replaced their own email with target's email
"Facebook's authentication gives a site a unique token, which is used to confirm your sign-in details," Alam told Gadgets360. "But due to a misconfiguration, [an] attacker can change their email ID to [the] victim's email ID and this gives him access to other user's account."
Full proof of concept of the possible attack shared
Alam shared a complete proof-of-concept of the potential attack that could have stemmed from the security flaw in Droom's system. He said an attacker would have only needed a user's email to carry out this attack and steal the aforementioned information along with their Droom wallet balance, purchase history among other things. Notably, the attack would have even exposed bank IFSC of the users.
Of late, many India-centric services facing security issues
The issue adds Droom into the list of India-centric services witnessing security issues. A few days back, Airtel disclosed and patched a major security flaw; then, there were also security loopholes in popular caller-ID service Truecaller and local search app Justdial. Notably, all these issues posed a threat to millions of customers of these services and their private data.
Droom fixed the flaw but didn't say anything
Following Alam's report, Gadgets360 verified the bug and reached out to Droom to alert them about the security risk. The company then took note of the matter, discussed its severity with Alam, and issued a patch a few hours later. However, it didn't say anything about the glitch, like how long it had been active on its platform or if anybody had exploited it.
