Justdial, one of the most prominent Indian hyperlocal search engines, has been subject to a major security bug since the beginning of the month. This is akin to a data breach, and is the second in quick succession for the company after a similar incident occurred earlier this month.
The company operates on a large scale, with over 134 million QAU. The database of all of Justdial’s customers was exposed just a few weeks prior, with the current breach coming to the reviewers’ database.
The First Breach
Around 18th April, an independent security researcher revealed that private data of over 100 million users contained in the search engine’s database had been exposed. This includes information such as names, email IDs, mobile numbers, addresses, and other such personally identifiable information.
The reason for this breach was a leaky endpoint courtesy of an expired API. The API reportedly allowed anyone to access the data of the users, 70% of which were individuals that called the Justdial hotline number of 8888 8888.
These findings were demonstrated by security researcher Rajshekhar Rajaharia, who posted the claims on Twitter. He also clarified that Justdial did not do anything towards these claims.
Justdial denied these claims, stating that the data is stored in a ‘double-encrypted format’ and was audited to be compliant with PCI DSS norms.
A Second Volley
The same researcher discovered another loophole in the API of Justdial on April 29th, wherein the database of individuals who post reviews on the platform was exposed.
In a statement to a publication, Rajaharia stated, “The API connected to Justdial’s database of reviewer’s has been unprotected since the company’s foundation.”
This meant that information such as the reviewer’s name, mobile number, and location were accessible through the loophole. The loophole was, again, on the API side, causing a leaky endpoint that required almost no credentials to access.
To Justdial’s credit, the issue was fixed on the same day the researcher reported it. They also fixed the first one within a week of the original post of Rajaharia.
Even as quick action was taken, the undiscovered loophole saw users’ data being unprotected owing to what seemed to be mistakes that could be fixed easily. This is indicative of a larger problem in quickly-growing startups.
OpSec Failings Exposed Sensitive User Data
Justdial is one of the biggest databases for various verticals, as it operates in over 25 different ones. While it provides similar services across verticals, the market spread ensures that vast amount of diverse data can be collected.
This demonstrates poor operational security on the part of Justdial, due to 2 main reasons. Primarily, an outdated API is one of lowliest ways that access to a system can be gained.
Any API handler and manager should always make the old API obsolete before releasing a new one, either by cutting off the access or cutting off support. An easily-implemented software switch could have protected access easily without the need for changing anything in the current distribution.
Secondly, they allowed the same attack vector to be exploited twice. If this were a breach by a malicious party as opposed to by a security researcher, the second attack would have proved to one of the worst ways for a compromise of security to occur.
While this was already a known issue on the part of Justdial, the fact that they did not assess other attack vectors from the same possible angle shows their failings in operational security.
The company needs to adopt tighter security when it comes to their databases, as they are now in the public eye as a non-secure company. It is left to see what future loopholes are discovered.