Droom, today, has patched an API-based Vulnerability that exposed Personal Data like Addresses, Pan Card, etc. The vulnerability has been found by a cybersecurity researcher called Sayaan Alam.
Droom patches Vulnerability that exposed Personal Data
The API-based vulnerability that was found by a cybersecurity researcher called Sayaan Alam, who is aged 15. He is the same teenager who had found a weakness in the E-commerce site called Spoyl last month. The website had such an API-based vulnerability that was patched last month.
This present vulnerability gave access to anyone’s account if the exploiter knew the email address of the victim. It made it possible to extract a person’s full name, address, and phone number, Aadhaar card number, PAN card number, bank account details, wallet balance access.
Alam says, “The issue lay with misconfiguring of Facebook sign-in API. Facebook’s authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a misconfiguration, the attacker can change their email ID to the victim’s email ID, and this gives him access to other user’s accounts”.
The site has 35 million users. Apart from India, the company is present in Malaysia, Singapore, and Thailand. The company generates $1.3 billion in revenue each year in India alone.
The company has not made any statement regarding the issue and when the patch will be rolled out. As of now, users can hope that the company that the exploit has been fixed with no more of these situations in the future.