OLA Cabs' online service had a serious glitch, exposed crucial user information
In a new expose, a regular customer of OLA Cabs’ service opened up a can of worms, which speaks about a serious glitch in the online security service of the famous startup. A simple human error at the server backend opened up a list of user data (names and phone numbers) to Swapnil Midha via SMS. OLA was (accidentally) sending her other customers’ confirmation messages throughout the day. Sadly, she informed the company about the sensitive personal information being sent over to her, but the company simply chose to ignore her feedback. Prior to the incident, an ethical hacker also managed to tap into the (not so) secure payment gateway system of OLA and managed to refill his Wallet with loads of cash. Since his intention was not to cause harm, he reported back to OLA about the security gap, and they chose to ignore him too.
Swapnil Midha shared her experience, about the unwanted personal messages continuously beeping on her phone through the night, on the social platform. The post is presently off-air, but we managed to get a screenshot (below). Messages were garbled, but had a lot of information with personal (sensitive) details of user names, phone numbers and addresses.
She mentioned her woes and concerns on her Facebook post, hoping that the concerned firm would take some action about it. “About three weeks ago, I booked an Ola cab for a long-distance drive. After the ride, I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed. When I went to bed that night, my phone beeped once, twice, thrice. For someone who doesn't use her phone for more than the absolutely necessary call and catching up on the latest time article, this was beyond strange. Nobody texts me at 11 pm, not even the pregnancy insurance spammer,” said Swapnil.
She did write several emails to OLA, tweeted too, but OLA did not reply. OLA, after a few weeks, managed to fix the issue, but revealed to the media that it was human error, and the phone number was wrongly entered into their systems. They showed regret that one of the driver’s phone number was erratically entered into their system. OLA told the media that they had fixed the issue and have added a verification procedure to avoid future incidents.
Well, this was just an incident somewhere in August, 2015. Two months earlier, a hacker group by the name of ‘Team Unknown’, managed to hack through OLA’s servers, only to find that the servers were not secure enough, and they were greeted with thousands of personal details, including credit card numbers, vouchers, and even user behaviour. They took their discovery to a post on Reddit, but OLA denied the claims, stating that the hackers got their information from a staging server and are not actual data. A staging server is a testing server, where dummy user data is fed in to test the server and the services before going live to public.
Heading even earlier, in March, an ethical hacker, by the name of Shubham Paramhans, managed to accidentally tap into the secure payment gateway of the OLA Wallet service. Since he has all his ‘hacking’ software tools on his phone, he saw something unusual when booking an OLA cab. ‘I was monitoring my phone traffic from a proxy server. While doing that I saw Ola API calls going from my phone (since I was booking a cab),’ said Shubham on his blog.
‘After seeing those flashing binaries data going from my system, I forgot my weekend project and started tweaking and reverse engineering Ola API’s which eventually resulted in breaking their money transaction system and bam, I was able to recharge my Ola wallet with any amount,’ he continued.
Shubham managed to expose a serious glitch in the payment gateway, which he did put forth (his research) to the company, but they paid no heed. After a few weeks, he received a message from the online team which mentioned that they were looking into the matter and will revert back. However, they did not. However, they did manage to patch the glitch and after confirming that the issue was resolved, Shubham wrote his experience on his blog. Check out Shubham’s entire research and experience here.
With Ashley Madison’s service being hacked and millions of users’ private profile and personal information spilling out in the open, online security and privacy are getting a little too serious. Recently, Amitabh Bachchan's Twitter account being hacked made another headline.
Professional hackers, be it ethical or immoral, know all the possible ways to reverse engineer almost any website, service or gateway, to get past their security and grab hold of whatever they see. Same was the case with Ashley Madison’s website, where hackers managed to hit gold—usernames, passwords, credit card details and much more. The same were the cases with lots of other websites, including Snapchat, Adobe and a few others. Check out the ‘Top 10 data breaches’ which highlights 10 such top well-known websites being hacked and a few others who made it to the top list.
