The security breach of Zomato, where records of 17 million users were stolen, is allegedly not the first time that user records of the food ordering and restaurant review app has been compromised.
If it wasn’t for a sharp-eyed ethical hacker, who spotted the potentially severe loophole, the user information of 65 million users could have been leaked in 2015.
A Bengaluru-based ethical hacker and serial bug bounty hunter has alleged that Zomato did not inform its users about this loophole that they found in June, 2015 in their system.
Anand Prakash, who has previously spotted bugs in Facebook, Uber among others said that he had approached Zomato in 2015 after spotting the bug, which hackers could have exploited to access the data of 65 million users. According to Anand, the bug was fixed by Zomato within a day’s time.
“Using that loophole, I or the hackers could have seen first name, last name, phone number, address of a user, Instagram access token of all Zomato users, places which have been visited by users,” Anand said.
Anand says the security loophole that he found in 2015 could have had more severe consequences than the recent breach.
“Access token leakage is much more severe as I could have seen private photos of all Zomato users who have connected their Instagram account using Instagram API,” Prakash added.
Anand had written about the particular bug in his blog titled [Responsible disclosure] How I could have hacked 62.5 million Zomato Users, with a proof of a concept video.
“While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Anand wrote in the blog.
Zomato on Thursday had announced that hackers had accessed data--user IDs, names, user IDs and hashed passwords--of 17 million users from its database. The data which was being sold on the Dark Web has now been taken down after an agreement between the company and the hacker(s).
Thursday’s breach also revealed that Zomato uses MD5 algorithm to encrypt its password which Anand considers to be “ancient”.
“It is a very old encryption system and can be hacked with very little effort,” Anand said.
An official spokesperson of Zomato said, "Anand had reported a bug that could leak to us in June, 2015, which we fixed right away. Since this was an ethical disclosure on Anand's part, it did not have to be reported to the users. We did allow Anand to publicly disclose how he did this once we had patched it. This time, the incident first appeared to have been done with the intention of causing harm and so we were proactive in communicating to our users."