Droom, one of India’s largest online marketplaces for buying and selling vehicles, has fixed a severe security flaw that was exposing the personal data and banking details of millions of its users. The security glitch, which was associated with misconfiguration of Facebook sign-in API, could provide malicious hackers easy access to user details such as names, addresses, phone numbers, Aadhaar numbers, PAN card numbers, and their purchase history on Droom. Moreover, banking details of users such as the name of their bank, account number, and IFSC code could also be accessed easily by just using the registered email ID of a Droom user.
Independent security researcher, Sayaan Alam, reached out to Gadgets 360 with his findings of the aforesaid security flaw in Droom’s system, and also shared with us the PoC of how hackers could exploit the bug to gain access to user data. We were also able to verify Alam’s findings by creating a Droom account and completing the user profile by adding fake details in the required fields. All these details such as user name, address, phone number, Aadhaar number, PAN card number, bank account number, purchase history, and more were pulled out in a very short span of time by Alam after exploiting the flaw.
“The issue lay with misconfiguring of Facebook sign-in API. Facebook’s authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a misconfiguration, attacker can change their email ID to victim’s email ID and this gives him access to other user’s account,” Alam told Gadgets 360.
“The bug grants customers’ login account access to anyone who knows their email ID—and from there, it’s possible to extract a person’s full name, address, and phone number, Aadhaar card number, PAN card number, bank account details, wallet balance access, apart from their purchase history with Droom,” added the security researcher, who is still in his teens.
Gadgets 360 reached out to Droom and reported the security flaw to one of its senior software developers. After discussing the bug and its severity with Alam, who also discovered a security lapse in a fashion e-commerce platform called Spoyl last month, Droom fixed the bug later on the same day. However, it is not known how long the security flaw in Droom’s system lay unresolved, and if the data of users was compromised.
We have reached out to the company for more details about the flaw and whether any user data was compromised. We will update this copy when we hear back from Droom.
As for the company, it has a userbase of 35 million users monthly users. Apart from India, the company has a presence in Malaysia, Singapore, and Thailand as well. As per the company’s website, Droom is currently generating $1.3 billion (roughly Rs. 9,212 crores) in annualized GMV and offers services in nearly a thousand Indian cities.
Google Pixel 6 and Pixel 6 Pro: Everything we know so far
Google Pixel 6 is hot in the rumor mill with multiple leaks presenting a deeper peek into the upcoming Google smartphone. It is also speculated that the Pixel 6 will be accompanied by the bigger Pixel 6 Pro phone. It is highly likely, the Pixel Fold and even an XL model may debut alongside the Pixel 6 series smartphones. The … Continue reading
Watch woodpecker destroy hidden camera one obnoxious peck at a time
You’ve probably seen or heard a woodpecker in action at some point; they’re the small birds that can spend hours driving everyone in the vicinity to madness with incessant taps against trees or wood buildings. What you probably haven’t seen is what it looks like to be the object subjected to the woodpecker’s wrath — until now, that is. A … Continue reading
MacBook Pro M1X and Mac mini may release Intel from service in 2021
The release date for a new M1X version of the MacBook Pro from Apple, along with a new Mac mini appear to be headed for a special event. It’s been rumored that the most powerful and updated Mac mini with M1X chip inside will be revealed at an event in the forth quarter of this year, 2021. It’s also tipped … Continue reading
Archaeologists recreated three common kinds of Paleolithic cave lighting
Enlarge / Spanish archaeologists recreated three common types of Paleolithic lighting systems. Medina-Alcaide et al, 2021, PLOS ONE In 1993,...
Toyota foils leakers by offering an official image of the 2022 Tundra
Earlier this week, leaked images were going around claiming to show the next generation 2022 Toyota Tundra. Automakers never like...
Ford to purchase Electriphi for integration with Ford Pro services for EV fleets
Ford has announced it will purchase Electriphi, a California-based provider of charging management and fleet monitoring software for electric vehicles....
Two Viking burials, separated by an ocean, contain close kin
Ida Marie Odgaard AFP Roughly a thousand years ago, a young man in his early 20s met a violent end...
The efforts to make text-based AI less racist and terrible
Getty Images In July 2020, OpenAI launched GPT-3, an artificial intelligence language model that quickly stoked excitement about computers writing...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social3 years ago
iPhone XS priciest yet in South Korea
Cars3 years ago
What’s the best cloud storage for you?
Security3 years ago
Google latest cloud to be Australian government certified
Cars3 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum