Powered By Inc42 BrandLabs

Powered By Inc42 BrandLabs

After Times Internet’s Gaana.com and cab hailing app Ola, a hacker recently hacked online restaurant search and discovery service startup Zomato.

Zomato, which currently serves various Indian cities and 21 other countries, has over 62.5 million registered users. The team quickly responded and solved the bug.

Usually when a user makes an account on Zomato, they get an option to store phone number, addresses, date of birth etc., the hacker in a blogpost, explained that in one of the API call, they were reflecting the user data based on the “browser_id” parameter in the API request. He mentioned that the “browser_id” sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

Below are the details given by the hacker about the vulnerability in his blog:

Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference:  https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Vulnerable endpoint

POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1

Accept: */*

Content-Length: 214

Accept-Encoding: gzip, deflate

X-Zomato-API-Key: XXXXXXX

Powered By Inc42 BrandLabs

Powered By Inc42 BrandLabs

Content-Type: application/x-www-form-urlencoded

User-Agent: Zomato/5.0

Host: 1api.zomato.com

Connection: Keep-Alive

Cache-Control: no-cache

lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q%3D&client_id=Zomato_WindowsPhone8_v2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA%2520Lumia%25201020&access_token=xyz

Replacing the XXXXX with victim’s user id in the above request led to information disclosure.

Ease of exploitability:

You can easily get userid of any zomato user by visting their profile. They are public and appended to your profile url.

Proof of concept video

This bug was responsibly disclosed to Zomato and was fixed within few minutes by the engineering team.

Disclosure Timeline:

June 1, 2015  09:29 PM : Report sent to Deepinder Goyal, CEO

June 2, 2015  12:54 PM :  Added Gunjan Patidar, CTO and Shrey Sinha to the mail thread

June 2, 2015   1:04 PM  : Bug acknowledged by Gunjan Patidar

June 2, 2015  2:01 PM   : Confirmation of vulnerability fix from Gunjan Patidar

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.