Update: The TrinTrin development team reached out to me, they have fixed the major issues discussed in this post. I working list of recommendations to make the service more secure for everyone

On Sunday June 4th, we Mysoreans got the India’s first public bicycle sharing service. The project is the initiative of State Government and is being funded by the World Bank under its Global Environment grant. Everyone was excited, it received detailed coverage on the local and national television, and news paper

Thousands of people signed for the services already. Even few of my friends signed up, against my advice, but why am I advising my friends not to sign up?

Back in April when I was browsing https://www.mytrintrin.com/ I stumbled upon javascript that exposed the huge security bug. Basically it allowed anyone to access their database where they store sensitive user information like Name, Phone number, address and identity documentation (Passport/Driving License/Aadhar) this puts every registered users at higher risk of identity theft.

The security on MyTrinTrin website/api is hilariously lousy, a curious school student can get away with personal information of everyone registered on the website/app

Here are the three major issues that I have noticed

Unsecured database, at some point the whole MongoDB (dev/testing) database was accessible to anyone, however this looks like it is fixed now, or is it? 🤔

2. Unsecured web APIs, if you’re curious and know little bit of web development you can pretty much query all the records in their database. It’s funny (or sad) that you can do that without registering on the website, again all the APIs are open and public

My user record

3. Web directory browsing, you don’t make your mapped web directories publicly browsable, ever, when it contains the sensitive user information.

Users identity documents accessible to public

When I raised these concerns to MyTrinTrin development team back in April, they were extremely polite and calm, and promised these issues will be fixed in time for the launch. I believed them, but guess what nothing is changed all their website and apps still exposes its user’s sensitive personal information

I hope this post brings spotlight on these issues and get fixed, I can’t wait to ride around the city on those bikes 🚴