Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data

Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data

SUMMARY

The logistics company exposed the data of thousands of customers because of a leak in its internal shipment information

Since the first detection of the leak in late 2021, Shipyaari has fixed the issue

The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status

 

Mumbai-based logistics company Shipyaari, which offers logistics services to D2C brands, exposed the personal data of its customers because of a vulnerability in its shipment tracking functionality.

The aforementioned vulnerability, which was discovered by Indian security researcher Ashutosh Barot, lasted for months until its eventual fix late last month.

The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status. Since the client tracking page was not password protected, anyone could view the same with the web address, Barot noted.

Explaining how the data could be accessed, he told Inc42, “Tracking IDs are numeric, so all possible numbers can be tried using automated tools. Therefore, an attacker could try numbers sequentially or randomly to gain correct tracking ID and access customers’ personal information.”

Barot first detected the vulnerability in October 2021 and reached out to the logistics player. However, Shipyaari only fixed the issue in the last week of July. The logistics major removed all the personally identifiable information, or PII, from its tracking page and put the tracking page behind a security wall that now requires an OTP for access.

“I am glad that they implemented the fix as recommended,” Barot said of Shipyaari’s fix.

As a rule of thumb, logistics players allow users to check package tracking information by only using the order number or the invoice number. However, it should be standard practice to not display PII on tracking pages anywhere.

Speaking with Inc42, Shipyaari noted that it was a minor issue and has been addressed since it was detected. “As soon as the Shipyaari team became aware of the issue, the issue was addressed diligently and required restrictions were imposed to make it a securely authorised access. The details are now only provided to the authorised person after authentication,” the logistics company said.

Adding further, Shipyaari, “Thanks to the timely flagging, Shipyaari was able to tackle the matter head-on. The blessing in disguise is that the product got forcefully upgraded well ahead of the planned cycle from a security and user-friendliness standpoint.”

Detailing the fix, the logistics company added, “We have fully removed the PII data from the page(s). This information would be available only once the user is authorised else no PII info will be ever displayed. If any unauthorized access is attempted multiple times, then the system will block the access.”

Founded in 2013 by Nayan Ratandhyara and Vishal Totla, Shipyaari claims to serve more than 25,000 pin codes, handling 5,000 shipments a day. The logistics company’s website also claims to have partnered with more than 6,000 active sellers across the country.

India has seen its fair share of data leaks over the last few years, but none was as impactful and as badly handled as the MobiKwik data leak last year. Impacting almost 100 Mn users, the data leak was the largest of its kind in the Indian startup ecosystem.

However, not only did MobiKwik threaten the researcher that pointed to the leak, Rajshekhar Rajaharia but also denied the breach altogether and laid the blame for customer data leaking on customers themselves.

MobiKwik, however, was not alone in last year’s data leaks. Since November 2020, data leaks at LimeRoad, BigBasket, Zee5, Chqbook, Upstox and Bizongo saw data of more than 37.5 Mn customers leaked. 

On the other hand, Domino’s India was the scene of a massive data leak, when data related to over 180 Mn orders appeared on the dark web.

India had been working on the Personal Data Protection Bill since 2017 but pulled it back after backlash from various corridors of the industry. The government cited various reasons for pulling the bill back, including an increased compliance burden on startups, and is working on a new bill.


Update | August 26, 2022, 11:50 PM

The article has been updated to include inputs from Ashutosh Barot and Shipyaari.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data-Inc42 Media
Vulnerability In Logistics Company Shipyaari’s Tracking Feature Exposed User Data-Inc42 Media
You’re in Good company