We discovered severe bugs in 11 startups worth $3 billion+ in a week

Multiple bugs in Indian startups from users data leak, user account access to free orders.

UPDATE (23 Oct): We have discovered bugs in 4 more startups last week, almost all of them on their way to become a unicorn. We will post the details on our blog when the respective bugs are fixed.

Why write this post?

We disclosed the bugs responsibly to the top execs of the respective startups. Some of the startups acted swiftly, others needed multiple emails but unfortunately, some did not reply even after repeated emails, putting sensitive user data and some VC money at risk. Some of the bugs were somewhat trivial and any decent engineer can get your personal data and sell it to brokers in the grey market.

This post is to draw the attention of companies who have still not responded. Maybe social media can help. To be clear, we just discovered existing security vulnerabilities and informed the companies involved. We did not try or intrude into anyone’s external or internal systems.

Our criteria for selecting startups to test

We could not check all startups for bugs due to a shortage of time. We included startups who have raised more than $10 million or are worth more than $100 million. In the context of India, $100 million is a lot of money since the biggest startup acquisition that has happened in India was of Freecharge for $400 million. All of the companies are consumer startups whose service are being used by thousands of people every day.

Most of the bugs were logic flaws which ideally should have been caught at the whiteboard stage. These cannot be detected using automated vulnerability scanners that can work for stuff like SQL injection and XSS. Frankly speaking, we did not try to check for XSS or SQL injection comprehensively since there were so many other bugs that we discovered.