Zomato hacked! But no damage done

10 Jun, 2015


Restaurant and event listing service Zomato has become the latest victim of online hacking.The attack was conducted last week by ethical hacker Anand Prakash, who not only highlighted a flaw in Zomato's data recall system but also informed the company about the same.

"While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users," Prakash, who works as an engineer with ecommerce leader Flipkart, wrote on his blog.

In the past, Prakash is said to have received $12,000 from Facebook for exposing a major security flaw in the social networking giant's website. His LinkedIn profile suggests that he has also pointed out security vulnerabilities at Twitter, Google, RedHat, Dropbox, Adobe, eBay, Paypal and Coinbase.

Over 62 million accounts of Zomato,  which has raised $163 million in overall funding till date, were exposed as part of Prakash's latest hack.

The technical team at Zomato, which is owned by Zomato Media Pvt Ltd, responded to the bug and fixed it in an hour's time, according to Prakash.

Here's the disclosure timeline given by Prakash.

June 1, 2015  09:29 PM : Report sent to Deepinder Goyal, CEO

June 2, 2015  12:54 PM :  Added Gunjan Patidar, CTO and Shrey Sinha to the mail thread

June 2, 2015   1:04 PM  : Bug acknowledged by Gunjan Patidar

June 2, 2015  2:01 PM   : Confirmation of vulnerability fix from Gunjan Patidar

Zomato did not comment on the hack.

Indian startups, who are raising funds and expanding operations at an exponential pace, are increasingly becoming vulnerable to online attacks. Gokul Gopinath, a security consultant based in Bangalore, believes that many young firms do not give the required attention to security details.

" Indian startups should immediately adopt the concept of crowd sourced bug hunting where your company will be tested by a larger community. We don't see many startups open to crowd sourced bug hunting or similar ideas. At the end of the day, what matters is whether you are really protecting the data that you have," Gopinath added.

Last week, a Reddit user by the name TeamUnknown claimed to have hacked into taxi hailing service Ola's systems and posted the database structure of the company online. Music streaming service was hacked in May, putting at risk the company's database of over 10 million users.