Droom, one of India's largest online marketplaces for buying and selling vehicles, has fixed a severe security flaw that was exposing the personal data and banking details of millions of its users. The security glitch, which was associated with misconfiguration of Facebook sign-in API, could provide malicious hackers easy access to user details such as names, addresses, phone numbers, Aadhaar numbers, PAN card numbers, and their purchase history on Droom. Moreover, banking details of users such as the name of their bank, account number, and IFSC code could also be accessed easily by just using the registered email ID of a Droom user.
Independent security researcher, Sayaan Alam, reached out to Gadgets 360 with his findings of the aforesaid security flaw in Droom's system, and also shared with us the PoC of how hackers could exploit the bug to gain access to user data. We were also able to verify Alam's findings by creating a Droom account and completing the user profile by adding fake details in the required fields. All these details such as user name, address, phone number, Aadhaar number, PAN card number, bank account number, purchase history, and more were pulled out in a very short span of time by Alam after exploiting the flaw.
“The issue lay with misconfiguring of Facebook sign-in API. Facebook's authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a misconfiguration, attacker can change their email ID to victim's email ID and this gives him access to other user's account,” Alam told Gadgets 360.
“The bug grants customers' login account access to anyone who knows their email ID—and from there, it's possible to extract a person's full name, address, and phone number, Aadhaar card number, PAN card number, bank account details, wallet balance access, apart from their purchase history with Droom,” added the security researcher, who is still in his teens.
Gadgets 360 reached out to Droom and reported the security flaw to one of its senior software developers. After discussing the bug and its severity with Alam, who also discovered a security lapse in a fashion e-commerce platform called Spoyl last month, Droom fixed the bug later on the same day.
"Droom takes security, safety and privacy of customer data with utmost level of seriousness and is committed to ensuring complete protection of user data," Amit Goel, VP, Engineering, Droom told Gadgets 360 in a statement. "We invest heavily and adhere to best practices in our engineering and infrastructure operations. The issue has been fixed and we confirm that no data has ever been compromised. Droom follows very high standards and processes in ensuring complete security of user data."
"Droom uses industry leading solutions like AKAMAI and AWS and have implemented layered security including multifactor authentication and CSRF token wherever required. Further Droom does not store any Credit/Debit card or e-wallet data. All transactions at Droom are executed via 3rd party payment gateways only," Goel added.
As for the company, it has a userbase of 35 million users monthly users. Apart from India, the company has a presence in Malaysia, Singapore, and Thailand as well. As per the company's website, Droom is currently generating $1.3 billion (roughly Rs. 9,212 crores) in annualized GMV and offers services in nearly a thousand Indian cities.