Justdial Data Leak Case Study
Justdial Data Leak Case Study : July 5, 2019
Holla! As you have clicked the link to the case study series of Appin Indore, here is a case study of Data Leak of one of the known names in the Indian economy.
Let us introduce you to Justdial first if you are not already aware. Justdial is a data giant and biggest Indian hyperlocal search engine. It is a public company founded by serial entrepreneur Mr. V.S.S. Mani with headquarters in Mumbai. The company has some serious stats in the name of visitors with around 134 Mn unique visitors every quarter. Also, the app download count is quite impressive as the count crossed 22.8 Mn downloads.
The primitive service offered by the company was being a phone-based local directory, now the company operates in 25 different verticals. Over a period of time, the company has entered in various sectors like bills, recharge, food delivery, grocery, restaurant booking, movie tickets, cabs, flight tickets, events and such. With an on-ground presence in over 250 cities covering around 11K pin codes, Justdial have branches in 11 cities across the country.
In the month of April, an independent security researcher, Rajshekhar Rajaharia, surfaced a loophole in the database of Indian hyperlocal search engine ‘Justdial’. It was estimated that with the loophole in place, personal information of over 100 Mn users was exposed in the public domain. A Justdial spokesperson commented on the issue that “All sensitive user information including any financial information as well as any user passwords are protected as per industry practices (further, majority of JD platforms works on OTP-based authentication).”
On April 17, Justdial’s senior database architect Rajeev Nair responded to the exposure claims that, “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there are security and coding enrichments that we do around it. We will explore further on the front pointed out by security researcher and arrest it as soon as we can, if at all there is any loophole like this.”
The loophole was fixed within a week of Rajshekhar’s public post that intimated about the loophole. Later in the month of April, the researcher surfaced another loophole in the company’s APIs which exposed the reviewer’s database of the company. Rajaharia also made a video post to explain the anomaly. He commented that, ‘The API connected to Justdial’s database of reviewers has been unprotected since the company’s foundation. This loophole means that reviewer’s name, mobile number, and location were publicly available on the internet.”
To this, the spokesperson made a point that all the relevant information including financial information on Justdial’s platforms is stored in double-encrypted format and is regularly audited by PCI DSS compliant auditing firm.
After some time, the said exposure claims were found true and Justdial’s team fixed the issue.
It might be a rocky ride for the host company but the cases of data breach deeply affect the trust and credibility of the companies. While cyber hiccups like this are quite expected these days, companies should work on their internal controls of systems and networks and conduct regular audits of externally-reachable authentication endpoints.
We strive to reach you with the best of case studies on the threats of the cyber world. Check out Appin’s blogs for similar content updates.