Moneycontrol PRO
UPCOMING EVENT:Attend Traders Carnival Live. 3 days 12 sessions at Rs.1599/-, exclusive for Moneycontrol Pro subscribers. Register now!
you are here: HomeNewsTechnology

EXCLUSIVE | 10 mobile apps using Razorpay payment gateway expose transaction keys

CloudSEK said leaked API details can be exploited to gain personal details of users, like phone numbers and email addresses, and also to initiate unauthorised refunds. Mobile applications of companies like Isha Foundation, Zify and Ruptok named in the report.

September 16, 2021 / 05:52 PM IST
API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you. [Image: Shutterstock]

API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you. [Image: Shutterstock]

Nearly 10 mobile applications using Razorpay as payment gateway are exposing secret keys, putting personal data of users at risk, a report by cybersecurity company CloudSEK said.

The report made it clear that Razorpay is not at fault and it’s the individual companies that are to be blamed.

The 10 mobile applications include those of Jaggi Vasudev’s Isha Foundation, steel trading e-commerce app Steeloncall.com, vehicle hiring app Zify, fintech platform Ruptok and Spark Live. The API keys are exposed in these applications, the report said.

About 250 apps use the Razorpay API for financial transactions.

API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you.

Close

What are the potential dangers?

If the API ID and secret key are leaked, they can be exploited to not only gain personal information of users, like phone numbers and email addresses, but also to initiate unauthorised refunds.

“An adversary can make bulk purchases and then initiate refunds. Such refunds can also lead to significant losses for the company,” the report accessed by Moneycontrol stated.

In fact, during the investigation, CloudSEK was able to access the transaction information for Rs 1,82,813, along with the payment IDs. Using just these two details, an adversary could carry out an refund, the report titled ‘Exposed Payment Integration API Keys Imperil Millions of User’s Transaction Details and PII’ said.

Merchant's API key is a combination of a key ID and a secret key that are required to make any API request to Razorpay.

While this only makes up 5 percent of the total apps investigated by CloudSEK, these applications have a cumulative download count of 2.5 million. Given that a purported 8 million businesses use Razorpay to facilitate payments, the actual number of apps exposing their API keys could be much higher.

The report also warned that besides the risk of orchestrating scams, and even identity thefts using this personal data, a threat actor can either dump or sell the financial information, transaction details, and other personal information of users on cybercriminal forums or dark web marketplaces.

Razorpay Responds

Razorpay said its API keys are secure. If not, many merchants would have been affected, it said.

“Razorpay clearly mentions in contracts signed with merchants that such keys should not be exposed on any public platform,” Hepsibah Rosario, Head of Corporate Communication and Branding at Razorpay, told Moneycontrol.

She added that some of the merchants that had their platform keys exposed on public platforms were notified by the company to deactivate it. “We disabled it from our end when we received no response from the merchants or if the data was still public. Customer safety and merchant data is of utmost importance,” she added.

Talking about the methodology of the report, CloudSEK stated that whenever a BeVigil user submits an android application for scanning, the company uses scanners and algorithm and gives a rating to the app, based on security incidents found. BeVigil is a free mobile application security testing tool.

“There are certain algorithms we use to find the secrets from android applications,” it said in an email response.

Is there a solution?

For Razorpay and other payment providers, mobile apps “are just one integration. They have integrations with web applications and wallets, and they can even be used on-premise in offices, shops, and other locations. Hence, exposed API keys don’t endanger the app but the entire merchant organisation’s payment data,” the report noted.

As a remedial action, the report suggests steps to invalidate the leaked keys and regenerate a new key secret pair. However, doing so could take multiple days to execute, depending on factors such as the number of downloads, the flexibility of distribution etc. It would be a challenge if the app is used in older versions of Android, since getting all users to update to the new version may prove difficult.

It further suggested app developers to release a new version of the app with the key removed. “In order to avoid these issues, app developers are encouraged to be cognizant of the long-term effects of exposed API keys and set up review processes to avoid exposing the keys in the first place,” the report concluded.
Smriti Chaudhary
first published: Sep 16, 2021 04:03 pm

stay updated

Get Daily News on your Browser
Sections
ISO 27001 - BSI Assurance Mark