A major security flaw was detected on online furniture store Pepperfry's website, which could have allowed users to sign in to another registered user's account. Pepperfry has claimed that the bug was fixed within an hour of being detected.
Security researcher Ehraz Ahmed found the bug on Pepperfry's website, which could have led to the security flaw. Speaking exclusively to Moneycontrol, Ahmed said that the bug could allow a user to log into another user’s account and/or create a new account of any user, which does not exist.
The flaw was with the website's 'Internal Authentication' Application Program Interface (API), which allowed users to auto-login. The same API showed personal information of users such as their name, address, contact number etc.
User details listed after Ahmed entered the email id
The same bug led to another security flaw that allowed a hacker to change the first and last name of a Pepperfry user, Ahmed claimed.
The first bug led to another bug that allowed the hacker to change a user's first and last name
Here is how the change in name was successfully reflected on Pepperfry's website.
Moneycontrol reached out to Pepperfry to confirm if there was a flaw and the company said: “Protecting customer data is of utmost priority for us. In order to maintain a secure platform as technologies and cyber threats evolve, we conduct security audits, regularly update our security protocols, do not store any customer financial details on our platform and also work with the ethical hacking community to identify and fix any potential issues. We typically fix a vulnerability within a few hours of it being identified.”
The company added that the bug was found and fixed within an hour and that there was no loss of any information, nor was the information of any user a risk.
The bug could have potentially affected over 2 million Pepperfry users had it not been addressed in time. Such flaws have earlier led to massive data leaks wherein personal information of users was breached.