Earlier this month, an independent security researcher Rajshekhar Rajaharia, discovered a major security loophole in the Indian hyperlocal search engine Justdial’s database. The loophole had exposed the Justdial’s database of over 100 Mn users. This loophole was fixed by the company after a week of Rajaharia’s public post.
However, the researcher had again discovered a loophole (on April 29) in the company’s APIs which exposed the reviewer’s database of the company. The second loophole was fixed on the same day of researcher’s report, Rajaharia told Inc42.
“The API connected to Justdial’s database of reviewer’s has been unprotected since the company’s foundation. This loophole means that reviewer’s name, mobile number, and location were publicly available on the internet,” Rajaharia told Inc42.
Rajaharia had made his case about the recent data leak in a video post –
To confirm this, we asked him to pull out the data of some restaurant reviews made by our team. Following are the screenshots of the data pulled out by the researcher –
In response to an Inc42 query, a Justdial said that its team had contacted Rajaharia and had fixed the issue which had caused the data breach.
A Justdial spokesperson had told Inc42 at the time of earlier data leak, “All sensitive user information including any financial information as well as any user passwords are protected as per industry practices (further, majority of JD platforms works on OTP-based authentication).” The spokesperson has also said that financial information on its platforms is stored in double-encrypted format and regularly audited by PCI DSS compliant auditing firm.
The Justdial Data Leak Saga
On April 12, Rajaharia first wrote about the publicly available Justdial user data in a Facebook post. The post read, “Dear Justdial Your 100 Million users data including name, email, mobile number, gender, dob, address, photo, company, occupation & other details are publicly accessible.”
Four days after the Rajaharia’s public post and multiple failed attempts on his part to connect with Justdial, Inc42 reported the data leak of Justdial 100Mn users’ database on April 16.
On April 17, Justdial’s senior database architect Rajeev Nair finally responded to the claims and told Inc42, “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there are security and coding enrichments that we do around it. We will explore further on the front pointed out by security researcher and arrest it as soon as we can, if at all there is any loophole like this.”
Following this statement, on the morning of April 18, Justdial sent Inc42 a further clarification stating that there has been no data breach of 100Mn users, etc. as claimed in reports or otherwise.
Later the same day, however, Rajaharia claimed that the problem had not been fixed despite the company’s claims. He had said at that time, “Lots of APIs are still available from which anyone can use to spam or bombard thousands or lakhs of SMSes at once without their (Justdial or its users) permission. These APIs also don’t use any token or any other auth captcha.”
Rajaharia later confirmed to Inc42 that the loophole in Justdial’s user database was fixed by the eve of April 18, however the latest leak around data of reviewers indicates that the problem may run deeper.
Data Giant With 134 Mn Unique Quarterly Users
Justdial was founded by a serial entrepreneur V.S.S Mani. The Mumbai-based company had gone public in May 2013. In the third quarter of FY2019, the company claimed to have around 134 Mn unique quarterly visitors on its platform.
With 78.5% of its users coming from mobile, its cumulative app downloads in January 2019 stood at 22.8 Mn. Justdial’s operating revenue in Q3 FY19 was INR 2,268 Mn with a net profit of INR 573 Mn.
With more than 25 verticals on its website, Justdial was started as a phone-based local directory. The company currently offers services such as bills and recharge, grocery and food delivery, and handles bookings for restaurants, cabs, movie tickets, flight tickets, events and more.
Justdial claims to have branches in 11 cities across India with an on-ground presence in over 250 Indian cities covering more than 11K pincodes.
Data Leaks In Indian Startups
Just two months back (February 2019), travel booking platform Ixigo was reported to have leaked 18 Mn user records. This leak had exposed users name, email addresses, and scrambled passwords. Ixigo was reported to have used an old and outdated MD5 hashing algorithm to scramble passwords, which hackers were easily able to unscramble.
In October 2018, Pune-based fintech startup EarlySalary also reported a security breach. The breach was said to have compromised the names and mobile numbers uploaded by potential customers on its website. However, the number of leaked records could not be determined at that time.
Just a month before EarlySalary news, the foodtech startup FreshMenu had also owned up to a data breach from 2016. The breach had reportedly affected 110K Indian users.
Prior to this in 2017, restaurant discovery company Zomato too reported the data breach of 17 Mn users, exposing the users’ email addresses and hashed passwords.
With the increasing number of data breaches in the country, the Indian government has been taking some steps at a policy level. In July, a high-level panel headed by Justice B.N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad. Since then, the Indian government has faced a backlash from members of the business community and associations such as the Internet and Mobile Association of India, NASSCOM, and ecommerce giants Amazon and Walmart over the provisions of the draft bill.