We have a rather interesting data leak story to share. The company having the vulnerability has more than 5 million users. One of the API endpoints could be used to iterate over all users data including name, phone umbers, email addresses, profile picture, user metadata and saved physical address. The data leak looks fixed now but we have been unable to receive a response or confirmation from them so that we could share this post with them as requested before publishing.

Data leaks in consumer tech companies effectively exposes their users to a variety of issues including identity theft, physical scams, spam and even threats. There was a recent incident of prepaid mobile recharge shops in India selling phone numbers of random women for money. Phone numbers also enable search on Facebook.

Here is the complete email we sent to disclose the vulnerability along with the technical details. (The extra HTTP headers for 3rd party services in the curl request have been removed and auth tokens changed. We have also removed the curl response with users personal data.) The API uses a JSON Web Token (JWT) for authentication that is possibly consumed in apps being used before the pivot. Post pivot, the company added another JWT for newer apps but kept on using the earlier code to fetch authenticated user-id from the old token leading to open access to all user data. The JWT when decoded contains the following data, with the id being a small integer that can be iterated and new tokens created to fetch corresponding user data.

{“user_name”:null,”id”:XXXX,”mobile”:”YYYYYYYYYY”,”expires”:180558878080}