Thursday, 4 June 2015

[Responsible disclosure] How I hacked 62.5 million Zomato Users


Note: This is being published with the permission of Zomato Team. The vulnerability is now fixed. 

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

Below are the technical details of the vulnerability:

Description:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. 
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Vulnerable endpoint:

POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1
Accept: */*
Content-Length: 214
Accept-Encoding: gzip, deflate
X-Zomato-API-Key: XXXXXXX
Content-Type: application/x-www-form-urlencoded
User-Agent: Zomato/5.0
Host: 1api.zomato.com
Connection: Keep-Alive
Cache-Control: no-cache

lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q%3D&client_id=Zomato_WindowsPhone8_v2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA%2520Lumia%25201020&access_token=xyz

Replacing the XXXXX with victim's user id in the above request led to information disclosure.

Ease of exploitability:

You can easily get userid of any zomato user by visting their profile. They are public and appended to your profile url.
Proof of concept video:



This bug was responsibly disclosed to Zomato and was fixed within few minutes by the engineering team.  

Disclosure Timeline:
June 1, 2015  09:29 PM : Report sent to Deepinder Goyal, CEO 
June 2, 2015  12:54 PM :  Added Gunjan Patidar, CTO and Shrey Sinha to the mail thread
June 2, 2015   1:04 PM  : Bug acknowledged by Gunjan Patidar 
June 2, 2015  2:01 PM   : Confirmation of vulnerability fix from Gunjan Patidar. 
 

22 comments :

  1. What they did to fix bug? If they just took API offline, then it's not fix within "few mins". :)

    ReplyDelete
    Replies
    1. HOW I GET A LOAN HELP @ 2% INTEREST RATE

      I was not sure of getting a legit loan lender online But when i could not face my Debt any more, my son was on hospital bed for surgery that involve huge money and i also needed some money to refinance and get a good home then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find VICTORIA LAWSON Trust Loan Firm (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges and i could take care of my son medical bills, Renew my rent bill and pay off my debt. I will advice every loan seeker to contact VICTORIA LAWSON LOAN Company with marianlawson@outlook.com For easy and safe transaction.

      *Full Name:_________

      *Address:_________

      *Tell:_________

      *loan amount:_________

      *Loan duration:_________

      *Country:_________

      *Purpose of loan:_________

      *Monthly Income:__________

      *Occupation__________

      *Next of kin:_________

      *Email :_________

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  3. Wow, no bounty? That's a great way to dissuade security researchers like yourself from finding vulnerabilities on their site. Never trusting them with my data.

    ReplyDelete
  4. Wow, no bounty? That's a great way to dissuade security researchers like yourself from finding vulnerabilities on their site. Never trusting them with my data.

    ReplyDelete
  5. zomato is cheap, not even offered bounty? shame on zomato.

    ReplyDelete
  6. kUDOS to people like you.

    ReplyDelete
  7. Hai, prakash can you please contact me on mail : hostweb13@gmail.com
    Please its very much urgent...

    ReplyDelete
  8. This is sort of unethical practice in a society which mislead people through web blog engineering assignment help and they share their personal data on that and later on it becomes harmful for the user about their privacy.

    ReplyDelete
  9. Vlad Bogdan is simply the best hacker I have come across. He helped me hack my ex boyfriends Facebook,whatsapp and emails in less than 48hours. He is a professional and also Clears license suspensions, monitors calls, hacks database,changes school grades, clear criminal records without any traces. You can contact him on his email Vladhackworld@gmail.com or his kik VladTech. Good luck

    ReplyDelete
  10. I hired distincthacker@gmail.com, to help me hack my ex husband’s bank account and steal money to mine. I don’t know how good he is with other hacks but he is 100% good at moving money between accounts, I made 25,000 USD after 9 days... he's also good and fast if you want to hack your husband/boyfriend/partner/spouse iphone, icloud, phone, text messages, whats app and also account details, he's great and he's helped me got alot of information i used in court during my divorced

    ReplyDelete
  11. HOW I GET A LOAN HELP @ 2% INTEREST RATE

    I was not sure of getting a legit loan lender online But when i could not face my Debt any more, my son was on hospital bed for surgery that involve huge money and i also needed some money to refinance and get a good home then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find VICTORIA LAWSON Trust Loan Firm (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges and i could take care of my son medical bills, Renew my rent bill and pay off my debt. I will advice every loan seeker to contact VICTORIA LAWSON LOAN Company with marianlawson@outlook.com For easy and safe transaction.

    *Full Name:_________

    *Address:_________

    *Tell:_________

    *loan amount:_________

    *Loan duration:_________

    *Country:_________

    *Purpose of loan:_________

    *Monthly Income:__________

    *Occupation__________

    *Next of kin:_________

    *Email :_________

    ReplyDelete
  12. I basically think we all don't have to all these deceit and lies from our spouse...in a case of mine wen i got sick and tired of all the lies and deceit i had to contact a friend of mine to get me the contact of one of the best hackers in the states ..then i met cyberphonehacker@gmail.com..He saved me from the lies of my cheating boyfriend by hacking his phone.. In case you need help with hacking any phone or account or other jobs..Tell him i referred you.He will help you

    ReplyDelete
  13. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or always too scared to pin anything on her. with the help a friend who recommended me to cyberhackanswers@gmail.com who help hack her phone, email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to cyberhackanswers@gmail.com . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable..tell him james kors reffered you..he would be willing to help

    ReplyDelete
  14. I Basically think we all don't have to face all these deceit and lies from our spouse...in a case of mine wen i got sick and tired of all the lies and deceit i had to contact a friend of mine to get me the contact of one of the best hackers in the states ..then i met cyberhacksolutions@gmail.com..He saved me from the lies of my cheating husband by hacking his phone..Incase you need help with hacking any phone or account or other jobs contact him via email/phone (CYBERHACKSOLUTIONS@GMAIL.COM) or +1 916 378 4978 Tell him i reffered you.He will help you

    ReplyDelete
  15. HOW I GOT MY LOAN FROM THIS GREAT COMPANY

    Hello my dear people , I am Anita Frank, currently living in New jersey city, USA. I am a widow at the moment with three kids and i was stuck in a financial situation in April 2015 and i needed to refinance and pay my bills. I tried seeking loans from various loan firms both private and corporate but never with success, and most banks declined my credit ,do not full prey to those hoodlums at there that call them self money lender they are all scam , all they want is your money and you well not hear from them again they have done it to me twice before I met Mr. Wilson Edwards the most interesting part of it is that my loan was transfer to me within 74hours so I will advice you to contact Mr. Edwards if you are interested in getting loan and you are sure you can pay him back on time you can contact him via email……… (wilsonedwardsloancompany@gmail.com) No credit check, no co signer with just 2% interest rate and better repayment plans and schedule if you must contact any firm with reference to securing a loan without collateral then contact Mr. Wilson Edwards today for your loan
    They offer all kind of categories of loan they
    Short term loan (5_10years)
    Long term loan (20_40)
    Media term loan(10_20)
    They offer loan like
    Home loan............., Business loan........ Debt loan .......
    Student loan..........,Business start up loan
    Business loan....... , Company loan.............. etc
    Email..........(wilsonedwardsloancompany@gmail.com )
    When it comes to financial crisis and loan then Wilson Edwards loan financial is the place to go please just tell him I Mrs. Anita Frank direct you Good Luck.......................

    ReplyDelete
  16. Thanks for publishing this short article. It had been really informative. I will be sure to tell my friends and co workers about that blog and you'll get some more supporters. I read the post twice and I agree with every point you made. I will make sure to have a look at other pages on your site.

    ReplyDelete
  17. contact hackspiritman@gmail.com also feel free to call on +15125613294
    He's realiable, fast and cheap. Hack into any database, Bank account, paypal account, blogs, credit cards (clear your debts and drop money into your credit cards), smartphone hacks, professional hacking into institutional servers, keylogging, University grades changing, Admin(staff) account hack, Access/Password (facebook, instagram, bbm, Skype, snapchat, twitter, badoo, Word Press,zoosk, various blogs, icloud, apple accounts etc.)-clearing of criminal records -email accounts hack (gmail,yahoomail,hotmail ), breach of web host servers, Untraceable IP

    ReplyDelete
  18. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or always too scared to pin anything on her. with the help a friend who recommended me to cyberhackanswers@gmail.com who help hack her phone, email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to cyberhackanswers@gmail.com . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable..tell him james kors reffered you..he would be willing to help

    ReplyDelete