A little over a month ago, a couple of 20-something computer engineers with time on their hands decided to ‘look under the hood’ of an online grocery retail service they frequently used. They found a glaring flaw in the website’s code that allowed them to place orders for free.

They decided to dig deeper and a few hours later, had access to the personal information of the entire user base, including names, addresses, phone numbers and emails. They also identified a bug that would allow them to checkout all the items in the shopping carts of the entire user base, which could have brought the company to its knees.

By the end of the day, Abhishek Anand and Manish Kumar, both graduates from the Birla Institute of Technology, Mesra, had identified massive bugs in three more Indian Internet start-ups that they used on a regular basis.

“We saw that there were a lot of start-ups like this that weren’t paying attention to security and protecting user information,” says Kumar, a former employee of Yahoo India. Thus, Fallible was born. The company aims to help Internet start-ups secure their websites and applications by locating bugs and potential exploits in their code before malicious hackers do.

Working out of a 1BHK in Bengaluru that doubles as Anand’s home and the new company’s makeshift office, the duo found major problems in 17 Indian e-commerce companies, all but one of them start-ups. Several of them are major names on their way to becoming ‘unicorns’ with billion-dollar valuations.

“Every company has bugs in their code,” says Anand who was new media website Scroll.in’s first hire. “But we did not test for the really common bugs, only those that might cause major problems.” Those problems ranged from potential free orders to full-scale leakage of personal data. In a couple of egregious cases, they found passwords stored in plain text and even bank account numbers.

Worm in the menu

Zomato, a restaurant guide and ordering service, had a vulnerability that allowed malicious code to be injected into its pages and served to unsuspecting users.

BookMyShow, a ticketing service, had multiple bugs, one of which made it possible for their entire user database to be deleted. ZoRooms, a hotel booking service, had security holes that exposed the personal data and booking history of all their users.

Among the other companies were grocery retailers PepperTap and BigBasket and Network18’s ecommerce arm, HomeShop18.

In keeping with the tradition of ‘white hat’ hackers who responsibly disclose their findings, the Fallible team contacted the companies. Several of the start-ups are now in the process of becoming clients of Fallible and are protected from being named by non-disclosure agreements. However, BusinessLine has viewed their initial email correspondence with Fallible and can verify its claims.

“At first, most of them did not respond. In several cases, we had to hunt for the top executives’ contact details,” says Anand.

When BusinessLine contacted the companies, some insisted that the bugs had been fixed post-haste but failed to clarify whether they had a formal bug submission procedure in place. Others did not respond.

“In India, white hat hackers are treated like crap,” he adds. “We do not have laws to protect user data. Whereas in the US, companies can be sued for leaking data.”

Kumar and Anand see Fallible evolving from the current two-man operation into a platform for companies to offer rewards for finding bugs, which can be claimed by independent hackers.

Fallible was able to hack into the systems of many prominent start-ups, including Zomato, BookMyShow, PepperTap and BigBasket. They were also able to break into Network18’s ecommerce division, HomeShop18