OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected

OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected

SUMMARY

The flaw was pointed out to OYO by a security researcher in August

The company has confirmed the details of privacy breach in an email to the security researcher

The customer data included booking ID, number of people in the room, phone numbers and location

Budget lodging chain OYO comes under the ambit of privacy breaches due to a flaw in its security system. According to a cybersecurity researcher, the company’s customer data, which included booking IDs, phone numbers, the number of people in a room and the location of the hotel, was public.

The security researcher Jay Sharma took to LinkedIn about the security breach. The researcher reported the issue to OYO and has received a reward of INR 25K, which was raised from the previous INR 5K.

Sharma also shared the email he received from OYO. OYO, in the email, assured the cybersecurity researcher that the company will be launching a bug bounty programme, like Facebook, to encourage more independent researchers to look for loopholes.

In the post, Sharma wrote that on his first booking in OYO he noticed that it was “compulsory” to enter booking ID and phone number to access the WiFI. “Why should anybody in the room be forced to share personal information via OTP verification to use WiFi?” he added.

Sharma researched and found that the “HTTP and ssh were open with no rate limit for the IP which was hosting this”. He claimed that any hacker could have extracted the data and details of those staying in those rooms.

“I created a way to brute force the login credentials while executing the captcha. Once login was brute-forced all the historical data dating back to a few months was accessible.”

An OYO spokesperson told ET, “At OYO, technology is deeply embedded in our DNA. We employ and invest heavily in the best in industry cybersecurity mechanisms including in house security operation centres, internal and external vulnerability scans and network penetration tests, training developers on secure development practices amongst others.”

OYO, which was launched in 2013, ventured into couple-friendly accommodation in August 2016. Since the launch of the so-called “relationship mode”, founder Ritesh Agarwal assured security and privacy.

In January this year, OYO had earned flak for its decision to share a real-time digital account of users check-in and check-out details.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected-Inc42 Media
OYO Security Flaw Leaves Customer Data, Phone Numbers Unprotected-Inc42 Media
You’re in Good company