LazyPay Security Flaw, Now Fixed, Could Have Been Used to Acquire Sensitive User Information

LazyPay parent PayU fixed the issue quickly after it was reported by a security researcher.

LazyPay Security Flaw, Now Fixed, Could Have Been Used to Acquire Sensitive User Information

LazyPay is one of the popular “buy now, pay later” platforms in India

Highlights
  • LazyPay security flaw was found by a security researcher
  • It could have allowed attackers to steal user data from a vulnerable API
  • LazyPay parent PayU quickly responded and fixed the flaw

LazyPay, the digital credit platform by Netherlands-based fintech company PayU, was found to have a security flaw that could have allowed hackers to obtain user data such as their full name, gender, date of birth, and phone number, according to a security researcher. He said that the issue was resolved quickly after it was reported to PayU, and the company confirmed the vulnerability but told Gadgets 360 that there was no user data leaked. However, LazyPay has not informed its users about the flaw and its fix.

Bengaluru-based Ehraz Ahmed discovered the vulnerability in LazyPay. He stated that the flaw allowed attackers to fetch sensitive user information by using the phone number of any registered users on the platform.

Upon getting the phone number, an attacker could get data such as the full name, gender, date of birth, postal address, profile picture, primary and secondary email addresses, and know-your-customer (KYC) status, Ahmed explained in a blog post.

He added that the issue was vulnerable as a hacker with minimal programming skills could easily create a program to fetch a series of phone numbers and pass them to the unsecured API to extract sensitive user information in an automated way. The researcher told Gadgets 360 that he found the flaw by tricking one of the API endpoints provided by LazyPay to third-party developers.

Shortly after finding the vulnerability in October, Ahmed reached out to LazyPay parent PayU. The company acknowledged the issue and responsibly fixed it right away. Ahmed reached out to Gadgets 360 with the details about the flaw in late May. After understanding the issue, we communicated with PayU to get further clarity on the matter.

A PayU spokesperson the flaw and also assured Gadgets 360 that its fix was already in place.

“PayU takes the security of our systems and our data very seriously,” the spokesperson said. “We are continuously running checks to ensure that our payment systems are safe and secure for everyone to access and use. The incident with regard to the security gap with LazyPay which was reported in the month of October was immediately resolved. There was no leak of customer information due to this incident.”

The company, however, did not inform its customers directly about the incident that had put their personal data at risk.

Launched back in 2017, LazyPay comes as a “buy now, pay later” offering by PayU to let customers make repayments for their orders online via instalments. The platform is claimed to be accepted across over 250 websites and apps, including BookMyShow, Flipkart, MakeMyTrip, and Swiggy.

LazyPay also offers personal loans up to Rs. 1 lakh through a digital process. Customers signing up on the platform are required to provide their photo ID proofs such as PAN or Aadhaar, alongside their bank details, and a selfie.


Interested in cryptocurrency? We discuss all things crypto with WazirX CEO Nischal Shetty and WeekendInvesting founder Alok Jain on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: LazyPay, PayU, security flaw
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Samsung Galaxy S21 FE Could Support 25W Fast Charging Just Like Vanilla Galaxy S21

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com