SUMMARY
The flaw was pointed out to OYO by a security researcher in August
The company has confirmed the details of privacy breach in an email to the security researcher
The customer data included booking ID, number of people in the room, phone numbers and location
Budget lodging chain OYO comes under the ambit of privacy breaches due to a flaw in its security system. According to a cybersecurity researcher, the company’s customer data, which included booking IDs, phone numbers, the number of people in a room and the location of the hotel, was public.
The security researcher Jay Sharma took to LinkedIn about the security breach. The researcher reported the issue to OYO and has received a reward of INR 25K, which was raised from the previous INR 5K.
Sharma also shared the email he received from OYO. OYO, in the email, assured the cybersecurity researcher that the company will be launching a bug bounty programme, like Facebook, to encourage more independent researchers to look for loopholes.
In the post, Sharma wrote that on his first booking in OYO he noticed that it was “compulsory” to enter booking ID and phone number to access the WiFI. “Why should anybody in the room be forced to share personal information via OTP verification to use WiFi?” he added.
Sharma researched and found that the “HTTP and ssh were open with no rate limit for the IP which was hosting this”. He claimed that any hacker could have extracted the data and details of those staying in those rooms.
“I created a way to brute force the login credentials while executing the captcha. Once login was brute-forced all the historical data dating back to a few months was accessible.”
An OYO spokesperson told ET, “At OYO, technology is deeply embedded in our DNA. We employ and invest heavily in the best in industry cybersecurity mechanisms including in house security operation centres, internal and external vulnerability scans and network penetration tests, training developers on secure development practices amongst others.”
OYO, which was launched in 2013, ventured into couple-friendly accommodation in August 2016. Since the launch of the so-called “relationship mode”, founder Ritesh Agarwal assured security and privacy.
In January this year, OYO had earned flak for its decision to share a real-time digital account of users check-in and check-out details.
