The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 2.
Hacker steals 17 million Zomato users’ data, briefly puts it on dark web
https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web
<b>Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.</b>
<p style="text-align: justify; ">The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was <a class="external-link" href="http://timesofindia.indiatimes.com/india/hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web/articleshow/58742129.cms">published in the Times of India</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">According to information security blog and news website <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/HackRead">HackRead</a>, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/Zomato">Zomato</a> claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".</p>
<p style="text-align: justify; ">In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.</p>
<p style="text-align: justify; ">The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.</p>
<p style="text-align: justify; ">Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.</p>
<p style="text-align: justify; ">However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.</p>
<p style="text-align: justify; ">Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.</p>
<p style="text-align: justify; ">"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.</p>
<p style="text-align: justify; ">Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.</p>
<p style="text-align: justify; ">In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."</p>
<p style="text-align: justify; ">HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.</p>
<p style="text-align: justify; ">According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.</p>
<p style="text-align: justify; ">What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."</p>
<p style="text-align: justify; ">Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web'>https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web</a>
</p>
No publisherpraskrishnaCyber SecurityHackingInternet GovernancePrivacy2017-05-20T05:57:14ZNews ItemDeveloper team fixed vulnerabilities in Honorable PM's app and API
https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="https://cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog Entry