Bugs, bugs, everywhere

Visvaksen P Chennai | Updated on March 12, 2018 Published on November 05, 2015

Julien Tromeur/

How two hackers found security holes in a bunch of prominent e-comm firms

A little over a month ago, a couple of twenty-something computer engineers with a little too much time on their hands after the recent demise of their startup, decided to ‘look under the hood’ of an online grocery retail service that they frequently used. They found a glaring flaw in the website’s code that allowed them to place orders for free.

They decided to dig deeper and a few hours later, found themselves with access to the personal information of the entire user base including names, addresses, phone numbers and emails. They had also identified a bug that would allow them to checkout all the items in a user’s shopping cart, sending them out for delivery the next day. Checking out the carts of the entire user base would have been trivial, and could have brought the company to its knees.

By the end of the day, Abhishek Anand and Manish Kumar, both computer science graduates from the Birla Institute of Technology, Mesra, had identified massive bugs in three more Indian Internet startups that they used on a regular basis.

“We saw that there were a lot of startups like this, that weren’t paying attention to security and protecting user information,” says Kumar, a former employee of Yahoo India. Thus, Fallible was born. The company aims to help Internet startups secure their websites and applications by locating bugs and potential exploits in their code before malicious hackers do.

Working out of a 1BHK in the Benson Town locality of Bengaluru that doubles as Anand’s home and the new company’s makeshift quarters, the duo found major problems in 17 Indian e-commerce companies, all but one of them start-ups. Several of them are massive names on their way to becoming ‘unicorns’ with billion-dollar valuations.

“Every company has bugs in their code,” says Anand who was new media website’s first hire. “But we did not test for the really common bugs, only those that might cause major problems.” And the problems they found ranged from potential free orders to full-scale leakage of personal data. In a couple of egregious cases, Kumar and Anand found passwords stored in plain text and even bank account numbers.

Worm in the menu

Zomato, a restaurant guide and ordering service, had a vulnerability that allowed malicious code to be injected into its pages and served to unsuspecting users.

BookMyShow, a ticketing service, had multiple bugs, one of which made it possible for their entire user database to be deleted. ZoRooms, a hotel booking service, had security holes that exposed the personal data and booking history of all their users.

Among the other companies that Kumar and Anand managed to compromise were grocery retailers PepperTap and BigBasket and Network18’s ecommerce division, HomeShop18.

In keeping with the established tradition of ‘white hat’ hackers who responsibly disclose their findings to parties concerned, the Fallible team contacted the companies with the problems they had found. Several of the companies hacked by the duo are now in the process of becoming clients of Fallible and are protected from being named publicly by non-disclosure agreements. However, BusinessLine has viewed their initial email correspondence with Fallible and can verify its claims.

“At first, most of them did not respond. In several cases, we had to hunt for the top executives’ contact information and try and get in touch with them. The smaller companies tended to reply sooner. The bigger ones took longer and a few of them never got back to us,” says Anand.

BusinessLine contacted the companies for a response and those that replied insisted that the bugs had been fixed post-haste but failed to clarify whether they had a formal bug submission procedure in place.

A spokesperson for ZoRooms stated that “one cannot expect the CEO and other co-founders to respond with alacrity to such mails,” but did not explain why bug reports had to be routed through the CEO in the first place.

“In India, white hat hackers are treated like crap,” says Anand. “We do not have laws to protect user data. Whereas in the US, companies can be sued for leaking data. So they encourage white hats and offer bounties for finding bugs. Here, if we approach someone with a bug, they see themselves as the victims and us as criminals.”

Kumar and Anand believe that the best solution to the security problem is crowdsourcing. They see Fallible eventually evolving from the current two-man operation, into a platform for companies to offer formal rewards for hunting down bugs, which can be claimed by independent hackers. But meanwhile, they are on the lookout for more clients and of course, more bugs.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on November 05, 2015
This article is closed for comments.
Please Email the Editor