WeWork India fixed a security flaw that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces.
security researcher Sandeep Hodkasia found visitor data running from the check-in app on WeWork India’s website, used by visitors to log in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access each visitor’s check-in record by incrementing or decrementing the user’s sequential user ID by a single digit.
Because the check-in tool was connected to the internet, the bug allowed anyone on the internet to scroll through thousands of records, revealing names, phone numbers, email addresses, and selfies in the process. Hodkasia said there are no obvious controls to prevent anyone from accessing the data in bulk.
None of the data was encrypted.
Hodkasia detailed the bug to TechCrunch, which replicated and confirmed its findings, and forwarded the information to WeWork India.
Apoorva Verma, spokeswoman for WeWork India, confirmed via email that their website “had an error that allowed unintended access to basic visitor information”. The check-in app was removed from the site shortly after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website” and recent changes “mitigated” the exposure.
It is not known exactly how much visitor information was disclosed and for how long.
When asked if there were any plans to notify those whose information was disclosed, WeWork India spokeswoman Sweta Nair said nothing. (India’s new rules for reporting data breaches, which require Businesses to notify authorities of a data breach within six hours of discovery, must still come into effect, the following a delay when introducing the rules.)
WeWork India joins a number of Indian companies and organizations that have been plagued by a cybersecurity failing over the past year. In 2020, during the peak of the COVID-19 pandemic, India’s largest mobile network Jio uncovered a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database Packed with network protocols exposed to the Internet, allowing anyone direct access to internal files on CISF’s internal network. And in June, TechCrunch reported the recent spread of Aadhaar numbers, possibly involving millions of Indian farmers, thanks a security hole at the government agency PM-Kisan.
To get in touch with the security switch, you can email Signal at +1 646-755-8849 or firstname.lastname@example.org.
WeWork India exposed visitors’ personal information and selfies – TechCrunch Source link WeWork India exposed visitors’ personal information and selfies – TechCrunch