Droom, one of India’s largest online marketplaces for buying and selling vehicles, has fixed a severe security flaw that was exposing the personal data and banking details of millions of its users. The security glitch, which was associated with misconfiguration of Facebook sign-in API, could provide malicious hackers easy access to user details such as names, addresses, phone numbers, Aadhaar numbers, PAN card numbers, and their purchase history on Droom. Moreover, banking details of users such as the name of their bank, account number, and IFSC code could also be accessed easily by just using the registered email ID of a Droom user.
Independent security researcher, Sayaan Alam, reached out to Gadgets 360 with his findings of the aforesaid security flaw in Droom’s system, and also shared with us the PoC of how hackers could exploit the bug to gain access to user data. We were also able to verify Alam’s findings by creating a Droom account and completing the user profile by adding fake details in the required fields. All these details such as user name, address, phone number, Aadhaar number, PAN card number, bank account number, purchase history, and more were pulled out in a very short span of time by Alam after exploiting the flaw.
“The issue lay with misconfiguring of Facebook sign-in API. Facebook’s authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a misconfiguration, attacker can change their email ID to victim’s email ID and this gives him access to other user’s account,” Alam told Gadgets 360.
“The bug grants customers’ login account access to anyone who knows their email ID—and from there, it’s possible to extract a person’s full name, address, and phone number, Aadhaar card number, PAN card number, bank account details, wallet balance access, apart from their purchase history with Droom,” added the security researcher, who is still in his teens.
Gadgets 360 reached out to Droom and reported the security flaw to one of its senior software developers. After discussing the bug and its severity with Alam, who also discovered a security lapse in a fashion e-commerce platform called Spoyl last month, Droom fixed the bug later on the same day. However, it is not known how long the security flaw in Droom’s system lay unresolved, and if the data of users was compromised.
We have reached out to the company for more details about the flaw and whether any user data was compromised. We will update this copy when we hear back from Droom.
As for the company, it has a userbase of 35 million users monthly users. Apart from India, the company has a presence in Malaysia, Singapore, and Thailand as well. As per the company’s website, Droom is currently generating $1.3 billion (roughly Rs. 9,212 crores) in annualized GMV and offers services in nearly a thousand Indian cities.
OPPO X 2021 rollable phone details revealed at MWC Shanghai
While the fate of the LG Rollable is still undecided, OPPO’s own take on the rather exotic phone form factor is, at least officially, not headed to the market. Ironically, it is also the one that seems to actually be ready for production. At MWC Shanghai, OPPO naturally didn’t miss the opportunity to boast about its rollable OPPO X1 2021 … Continue reading
Thousands of stands with built-in USB ports recalled over shock risk
The US Consumer Product Safety Commission has highlighted a recent recall involving side stands (accent tables) that feature built-in charging receptacles, including USB ports. The reason, according to the recall notice, is a wiring problem that may cause users to be shocked when they plug a device into the stand. Owners are warned to stop using the tables and to … Continue reading
ELEGOO Mars Pro Review – A tiny 3D printing titan
This printer is tiny, but mighty. The printer works with the sort of printing technique that’s both messier and far, far more accurate than the most basic sorts of 3D printers on the block. The Mars Pro is a MSLA 3D printer with UV photocuring resin, courtesy of a matrix UV LED array. The ELEGOO Mars Pro MSLA 3D printer … Continue reading
2021 Jeep Wrangler Rubicon 392 Launch Edition starts at under $75,000
Prepare your wallet if you’ve been pining for the newest V8-powered 2021 Jeep Wrangler Rubicon 392. As it turns out,...
After Facebook’s news flex, Australia passes bargaining code for platforms and publishers – TechCrunch
A week after Facebook grabbed eyeballs globally by blocking news publishers and turning off news-sharing on its platform in Australia,...
Roomba robotic vacuum cleaner software fix promised in the coming weeks
The company behind the Roomba robotic vacuum cleaners, iRobot, has announced that the software updates it issued have been causing...
Hyundai issues massive electric vehicle recall due to fire risk
Recalls in the automotive industry certainly aren’t anything new; they happen all the time. What is new is a massive...
Joby Aviation unveils its eVTOL air taxi flight video for the first time
Joby Aviation certainly isn’t a household name today, but that could change the future. Joby is one of the companies...
Social1 year ago
CrashPlan for Small Business Review
Gadgets2 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile2 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social2 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Social2 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars2 years ago
Some internet outages predicted for the coming month as ‘768k Day’ approaches