Thursday, 4 June 2015

[Responsible disclosure] How I hacked 62.5 million Zomato Users


Note: This is being published with the permission of Zomato Team. The vulnerability is now fixed. 

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

Below are the technical details of the vulnerability:

Description:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. 
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Vulnerable endpoint:

POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1
Accept: */*
Content-Length: 214
Accept-Encoding: gzip, deflate
X-Zomato-API-Key: XXXXXXX
Content-Type: application/x-www-form-urlencoded
User-Agent: Zomato/5.0
Host: 1api.zomato.com
Connection: Keep-Alive
Cache-Control: no-cache

lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q%3D&client_id=Zomato_WindowsPhone8_v2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA%2520Lumia%25201020&access_token=xyz

Replacing the XXXXX with victim's user id in the above request led to information disclosure.

Ease of exploitability:

You can easily get userid of any zomato user by visting their profile. They are public and appended to your profile url.
Proof of concept video:



This bug was responsibly disclosed to Zomato and was fixed within few minutes by the engineering team.  

Disclosure Timeline:
June 1, 2015  09:29 PM : Report sent to Deepinder Goyal, CEO 
June 2, 2015  12:54 PM :  Added Gunjan Patidar, CTO and Shrey Sinha to the mail thread
June 2, 2015   1:04 PM  : Bug acknowledged by Gunjan Patidar 
June 2, 2015  2:01 PM   : Confirmation of vulnerability fix from Gunjan Patidar. 
 

15 comments :

  1. What they did to fix bug? If they just took API offline, then it's not fix within "few mins". :)

    ReplyDelete
    Replies
    1. HOW I GET A LOAN HELP @ 2% INTEREST RATE

      I was not sure of getting a legit loan lender online But when i could not face my Debt any more, my son was on hospital bed for surgery that involve huge money and i also needed some money to refinance and get a good home then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find VICTORIA LAWSON Trust Loan Firm (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges and i could take care of my son medical bills, Renew my rent bill and pay off my debt. I will advice every loan seeker to contact VICTORIA LAWSON LOAN Company with marianlawson@outlook.com For easy and safe transaction.

      *Full Name:_________

      *Address:_________

      *Tell:_________

      *loan amount:_________

      *Loan duration:_________

      *Country:_________

      *Purpose of loan:_________

      *Monthly Income:__________

      *Occupation__________

      *Next of kin:_________

      *Email :_________

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  3. Wow, no bounty? That's a great way to dissuade security researchers like yourself from finding vulnerabilities on their site. Never trusting them with my data.

    ReplyDelete
  4. Wow, no bounty? That's a great way to dissuade security researchers like yourself from finding vulnerabilities on their site. Never trusting them with my data.

    ReplyDelete
  5. zomato is cheap, not even offered bounty? shame on zomato.

    ReplyDelete
  6. kUDOS to people like you.

    ReplyDelete
  7. Hai, prakash can you please contact me on mail : hostweb13@gmail.com
    Please its very much urgent...

    ReplyDelete
  8. This is sort of unethical practice in a society which mislead people through web blog engineering assignment help and they share their personal data on that and later on it becomes harmful for the user about their privacy.

    ReplyDelete
  9. Vlad Bogdan is simply the best hacker I have come across. He helped me hack my ex boyfriends Facebook,whatsapp and emails in less than 48hours. He is a professional and also Clears license suspensions, monitors calls, hacks database,changes school grades, clear criminal records without any traces. You can contact him on his email Vladhackworld@gmail.com or his kik VladTech. Good luck

    ReplyDelete
  10. I hired distincthacker@gmail.com, to help me hack my ex husband’s bank account and steal money to mine. I don’t know how good he is with other hacks but he is 100% good at moving money between accounts, I made 25,000 USD after 9 days... he's also good and fast if you want to hack your husband/boyfriend/partner/spouse iphone, icloud, phone, text messages, whats app and also account details, he's great and he's helped me got alot of information i used in court during my divorced

    ReplyDelete
  11. HOW I GET A LOAN HELP @ 2% INTEREST RATE

    I was not sure of getting a legit loan lender online But when i could not face my Debt any more, my son was on hospital bed for surgery that involve huge money and i also needed some money to refinance and get a good home then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find VICTORIA LAWSON Trust Loan Firm (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges and i could take care of my son medical bills, Renew my rent bill and pay off my debt. I will advice every loan seeker to contact VICTORIA LAWSON LOAN Company with marianlawson@outlook.com For easy and safe transaction.

    *Full Name:_________

    *Address:_________

    *Tell:_________

    *loan amount:_________

    *Loan duration:_________

    *Country:_________

    *Purpose of loan:_________

    *Monthly Income:__________

    *Occupation__________

    *Next of kin:_________

    *Email :_________

    ReplyDelete