SUMMARY
Justdial’s user data has been stored in an unsecured manner since 2015
Independent security researcher Rajshekhar Rajaharia discovered the loophole
Justdial says the issues is now fixed, but Rajaharia disputes this claim in latest response
An independent security researcher has discovered a major security loophole in Mumbai-based hyperlocal search engine Justdial’s database that has exposed user data from over 100 Mn users.
“The connection between the Justdial’s application and its database is not protected, which makes millions of user data vulnerable to data breach,” Rajshekhar Rajaharia told Inc42. He added that the data could be accessed publicly since 2015.
In a conversation with Inc42, Justdial’s senior database architect Rajeev Nair said, “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there is security and coding enrichments that we do around it.”
With more than 25 verticals on its website, Justdial started as a phone-based local directory. The company currently offers services such as bills and recharge, grocery and food delivery, and handles bookings for restaurants, cabs, movie tickets, flight tickets, events and more.
Justdial has branches in 11 cities across India with an on-ground presence in over 250 Indian cities covering more than 11K pincodes. The Mumbai-based company had gone public in May 2013.
Sensitive Information Out In The Open
The exposed data could lead to further attacks on Justdial users, if the data was used by cyber criminals and hackers. Rajaharia added, “In addition to users phone number and personal information, the company also tracks user’s buying and search history. This is sensitive data and can be used to carry out targeted advertisements without the consent of the user.”
To this, Nair said, “We are a data organisation and from that standpoint, we understand the sensitivity of the data that is there with us. Precisely for this reason, we do a lot of security and encryption from our end.”
Rajaharia first wrote about the exposed data in a Facebook post. “Dear Justdial Your 100 Million users data including name, email, mobile number, gender, dob, address, photo, company, occupation & other details are publicly accessible,” he had said.
Rajahari also shared the following screenshots of Justdial’s user data, which were extracted during his research process:
What’s worse about this data breach is that no one had to hack into Justdial’s servers to access the data. Rajaharia said, “As the data is available through a public URL and can be accessed without a password, Indian law does not have provisions to hold the hacker responsible for such a data breach. Only the company will be prosecuted in case of such a data leak.”
Justdial was founded by a serial entrepreneur V.S.S Mani. The company had reported 132.4 Mn unique quarterly visitors on its platform in the third quarter of FY2019. With 78.5% of its users coming from mobile, its cumulative mobile app downloads in January 2019 stood at 22.8 Mn. Justdial’s operating revenue in Q3 FY19 was INR 2,268 Mn with a net profit of INR 573 Mn.
Data Leaks On The Rise In India
When it comes to data leaks in the Indian context, the first thing we think of is Aadhaar. As recently as February 2019, Aadhaar details of over 6.7 Mn users containing details such as names, addresses and the numbers were leaked on Indane’s website. Prior to this in 2018, French cybersecurity expert Baptiste Robert (who goes by the pseudonym Elliot Alderson on Twitter) had uploaded website links containing the Aadhaar data of thousands of Indian citizens. And that’s just two examples among multiple leaks related to Aadhaar from state government bodies.
Other Indian startups including Pune-based fintech company EarlySalary and travel platform Ixigo have also witnessed data breach cases.
The Indian government is taking some steps on this front at a policy level. In July end, a high-level panel headed by Justice B N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad. Since then, the Indian government has faced a backlash from members of the business community and associations such as the Internet and Mobile Association of India, NASSCOM, and ecommerce companies like Amazon and Walmart over the provisions of the draft bill.
The European Union (EU) had also expressed reservations about the draft bill. “If implemented, this kind of provision would also likely hinder data transfers… contrary to what is sometimes suggested, India’s striving tech industry does not need this type of forced-localisation measures,” wrote Bruno Gencarelli, head of the International Data Flows and Protection Unit at the European Commission (EC).
After the Facebook-Cambridge Analytica scandal, Governments across the world are drafting and implementing laws around the flow of data. Countries such as Japan, Korea, and New Zealand have already passed data protection laws based on the principle of data localisation. Meanwhile, in Latin America, Brazil passed its own law in August 2018, while Chile announced the setting up of an independent data protection authority.
Update 1: April 17, 2019 | 5:32 PM
Justdial Investigating The Data Leak
Justdial sent Inc42 a statement about the comments were added to the article.
Justdial’s senior database architect Rajeev Nair said, “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there are security and coding enrichments that we do around it. We will explore further on the front pointed out by the security researcher and arrest it as soon as we can, if at all there is any loophole like this.”
Update 2: April 18, 2019 | 11:05 AM
Justdial Claims It Fixed The Issue
Justdial has now sent us a further clarification on the matter. A Justdial spokesperson told Inc42, “There has been No data breach of 100 million users, etc. as claimed in reports or otherwise. All sensitive user information including any financial information as well as any user passwords are protected as per industry practices (further, majority of JD platforms works on OTP-based authentication).” The spokesperson also said that financial information on its platforms is stored in double-encrypted format and regularly audited by PCI DSS compliant auditing firm.
“However, the older versions of our apps, which currently cater to only a very small fraction of our users, were using certain APIs by which basis a particular mobile number entered, certain basic user details were accessible (no financial information was accessible). This vulnerability which existed on the older app platforms is also now fixed. Newer (current) versions of the app where the majority of users are available do not have the above vulnerability,” the spokesperson added, before saying that Justdial has implemented adequate encryption for the older APIs which were impacted. “While there are regular audits conducted, we have also initiated an independent tech-audit to identify any existing vulnerabilities.”
The company reiterated that no data breach occurred and that it has been verified by an independent security researcher (name undisclosed). “Justdial has ~134 million quarterly unique users (for the quarter ending Dec 2018) and we have robust systems in place to ensure that user information and other data remains adequately protected.”
Update 3: April 18, 2019 | 12:50 PM
Security Researcher Questions Justdial’s Claims
In response to Justdial’s latest clarification above, security researcher Rajshekhar Rajaharia, who discovered the issue in the first place, said the problem is still not fixed. “Lots of APIs are still available from which anyone can spam or bombard thousands or lakhs of SMSes at once without their (Justdial and users) permission. These APIs also don’t use any token or any other auth captcha. Think what happens if someone bombards lakhs of SMSes to your users with a single click with OTP using your API at midnight. You should use auth or token there.”
We have reached out to Justdial to get their response on these claims, and will update our story as soon as we receive a statement.
