Posts tagged: bug

Hyundai’s India subsidiary has fixed a bug that exposed its customers’ personal information in the South Asian market.

TechCrunch reviewed a portion of the exposed data that included the registered owner name, mailing address, email address and phone number of Hyundai Motor India customers who have serviced their vehicles at any of the company’s authorized service stations across India. The bug also disclosed vehicle details, including the registration number, color, engine number and mileage covered.

In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would provide a statement. When shared by email, the statement said:

We understand the importance of safeguarding the data of our customers and accordingly strive to create robust systems and processes. Further, these systems get periodically reviewed and updated based on needs. The Repair Order/Invoice link is shared only on the mobile number registered by the customer, once they have opted in to receive such updates. These are system-generated links without any human involvement. Hyundai assures continued efforts to safeguard the interest of the customers.

Hyundai Motor India did not answer questions about whether it had the technical means, such as logs, to determine any improper access to a customer’s records, nor would the company say if any bad actors exploited the issue.

Security researcher Ashutosh, who preferred not to be named in full, shared the details about the simple bug with TechCrunch. The bug exposed customers’ personal information through the web links Hyundai Motor India shared with customers over WhatsApp after receiving their vehicles for servicing at an authorized service station.

The web links that redirected customers to the repair orders and invoices in PDF files contained the customer’s phone number. A malicious actor could expose the information of other customers by changing the phone number in the link.

TechCrunch confirmed the researcher’s findings and emailed Hyundai Motor India on December 29. The company responded on January 4. TechCrunch shared the details of the bug with Hyundai Motor India on the same day, and requested Hyundai Motor India fix the bug within seven days due to its simplicity and severity. Hyundai Motor India fixed the bug on Thursday.

Upon receiving the company’s response, TechCrunch confirmed the bug was fixed, and the links in concern were no longer active and were redirected to a page giving an error message.

Established in 1996, Hyundai Motor India is among the top three carmakers in the country, alongside Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of more than 1,500 service stations in the country. In May, the carmaker announced an investment of $2.45 billion (200 billion Indian rupees) over the next 10 years in the southern Indian state of Tamil Nadu to bolster its plans for electric vehicles.

Hyundai’s India subsidiary has fixed a bug that exposed its customers’ personal information in the South Asian market.

TechCrunch reviewed a portion of the exposed data that included the registered owner name, mailing address, email address and phone number of Hyundai Motor India customers who have serviced their vehicles at any of the company’s authorized service stations across India. The bug also disclosed vehicle details, including the registration number, color, engine number and mileage covered.

In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would provide a statement. When shared by email, the statement said:

We understand the importance of safeguarding the data of our customers and accordingly strive to create robust systems and processes. Further, these systems get periodically reviewed and updated based on needs. The Repair Order/Invoice link is shared only on the mobile number registered by the customer, once they have opted in to receive such updates. These are system-generated links without any human involvement. Hyundai assures continued efforts to safeguard the interest of the customers.

Hyundai Motor India did not answer questions about whether it had the technical means, such as logs, to determine any improper access to a customer’s records, nor would the company say if any bad actors exploited the issue.

Security researcher Ashutosh, who preferred not to be named in full, shared the details about the simple bug with TechCrunch. The bug exposed customers’ personal information through the web links Hyundai Motor India shared with customers over WhatsApp after receiving their vehicles for servicing at an authorized service station.

The web links that redirected customers to the repair orders and invoices in PDF files contained the customer’s phone number. A malicious actor could expose the information of other customers by changing the phone number in the link.

TechCrunch confirmed the researcher’s findings and emailed Hyundai Motor India on December 29. The company responded on January 4. TechCrunch shared the details of the bug with Hyundai Motor India on the same day, and requested Hyundai Motor India fix the bug within seven days due to its simplicity and severity. Hyundai Motor India fixed the bug on Thursday.

Upon receiving the company’s response, TechCrunch confirmed the bug was fixed, and the links in concern were no longer active and were redirected to a page giving an error message.

Established in 1996, Hyundai Motor India is among the top three carmakers in the country, alongside Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of more than 1,500 service stations in the country. In May, the carmaker announced an investment of $2.45 billion (200 billion Indian rupees) over the next 10 years in the southern Indian state of Tamil Nadu to bolster its plans for electric vehicles.

A bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.

The bug exposed users’ first and last names, self-reported age group (such as children aged 13-18 and adults aged 19-25, and aged 26 and older), the user’s self-described location, the app’s unique user identifier (within Glow’s software platform) and any user-uploaded images, such as profile photos.

Security researcher Ovi Liber told TechCrunch that he found user data leaking from Glow’s developer API. Liber reported the bug to Glow in October, and said Glow fixed the leak about a week later.

An API allows two or more internet-connected systems to communicate with each other, such as a user’s app and the app’s back-end servers. APIs can be public, but companies with sensitive data typically restrict access to its own employees or trusted third-party developers.

Liber, however, said that Glow’s API was accessible to anyone, as he is not a developer.

An unnamed Glow representative confirmed to TechCrunch that the bug is fixed, but Glow declined to discuss the bug and its impact on the record or provide the representative’s name. As such, TechCrunch is not printing Glow’s response.

In a blog post published on Monday, Liber wrote that the vulnerability he found affected all of Glow’s 25 million users. Liber told TechCrunch that accessing the data was relatively easy.

Contact Us

Do you have more information about similar flaws in fertility tracking apps? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop.

“I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That’s where I found the IDOR,” Liber said, referring to a type of vulnerability where a server lacks the proper checks to ensure access is only granted to authorized users or developers. “Where they say it should be available to devs only, [it’s] not true, it’s a public API endpoint that returns data for each user — simply attacker needs to know how the API call is made.”

While the leaking data might not seem extremely sensitive, a digital security expert believes Glow users deserve to know that this information is accessible.

“I think that is a pretty big deal,” Eva Galperin, the cybersecurity director at the digital rights non-profit Electronic Frontier Foundation, told TechCrunch, referring to Liber’s research. “Even without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them.”

Glow, which launched in 2013, describes itself as “the most comprehensive period tracker and fertility app in the world,” which people can use to track their “menstrual cycle, ovulation, and fertility signs, all in one place.”

In 2016, Consumer Reports found that it was possible to access Glow user’s data and comments about their sex lives, history of miscarriages, abortions and more, because of a privacy loophole related to the way the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a fine of $250,000 after an investigation by California’s Attorney General, which accused the company of failing to “adequately safeguard [users’] health information,” and “allowed access to user’s information without the user’s consent.”