SUMMARY
The logistics company exposed the data of thousands of customers because of a leak in its internal shipment information
Since the first detection of the leak in late 2021, Shipyaari has fixed the issue
The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status
Mumbai-based logistics company Shipyaari, which offers logistics services to D2C brands, exposed the personal data of its customers because of a vulnerability in its shipment tracking functionality.
The aforementioned vulnerability, which was discovered by Indian security researcher Ashutosh Barot, lasted for months until its eventual fix late last month.
The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status. Since the client tracking page was not password protected, anyone could view the same with the web address, Barot noted.
Explaining how the data could be accessed, he told Inc42, “Tracking IDs are numeric, so all possible numbers can be tried using automated tools. Therefore, an attacker could try numbers sequentially or randomly to gain correct tracking ID and access customers’ personal information.”
Barot first detected the vulnerability in October 2021 and reached out to the logistics player. However, Shipyaari only fixed the issue in the last week of July. The logistics major removed all the personally identifiable information, or PII, from its tracking page and put the tracking page behind a security wall that now requires an OTP for access.
“I am glad that they implemented the fix as recommended,” Barot said of Shipyaari’s fix.
As a rule of thumb, logistics players allow users to check package tracking information by only using the order number or the invoice number. However, it should be standard practice to not display PII on tracking pages anywhere.
Speaking with Inc42, Shipyaari noted that it was a minor issue and has been addressed since it was detected. “As soon as the Shipyaari team became aware of the issue, the issue was addressed diligently and required restrictions were imposed to make it a securely authorised access. The details are now only provided to the authorised person after authentication,” the logistics company said.
Adding further, Shipyaari, “Thanks to the timely flagging, Shipyaari was able to tackle the matter head-on. The blessing in disguise is that the product got forcefully upgraded well ahead of the planned cycle from a security and user-friendliness standpoint.”
Detailing the fix, the logistics company added, “We have fully removed the PII data from the page(s). This information would be available only once the user is authorised else no PII info will be ever displayed. If any unauthorized access is attempted multiple times, then the system will block the access.”
Founded in 2013 by Nayan Ratandhyara and Vishal Totla, Shipyaari claims to serve more than 25,000 pin codes, handling 5,000 shipments a day. The logistics company’s website also claims to have partnered with more than 6,000 active sellers across the country.
India has seen its fair share of data leaks over the last few years, but none was as impactful and as badly handled as the MobiKwik data leak last year. Impacting almost 100 Mn users, the data leak was the largest of its kind in the Indian startup ecosystem.
However, not only did MobiKwik threaten the researcher that pointed to the leak, Rajshekhar Rajaharia but also denied the breach altogether and laid the blame for customer data leaking on customers themselves.
MobiKwik, however, was not alone in last year’s data leaks. Since November 2020, data leaks at LimeRoad, BigBasket, Zee5, Chqbook, Upstox and Bizongo saw data of more than 37.5 Mn customers leaked.
On the other hand, Domino’s India was the scene of a massive data leak, when data related to over 180 Mn orders appeared on the dark web.
India had been working on the Personal Data Protection Bill since 2017 but pulled it back after backlash from various corridors of the industry. The government cited various reasons for pulling the bill back, including an increased compliance burden on startups, and is working on a new bill.
Update | August 26, 2022, 11:50 PM
The article has been updated to include inputs from Ashutosh Barot and Shipyaari.
