Moneycontrol Be a Pro
Get App
you are here: HomeNewsTrends
Last Updated : Sep 06, 2019 09:55 PM IST | Source: Moneycontrol.com

Exclusive: Security breach on Pepperfry exposes details of users; now plugged

Security researcher Ehraz Ahmed found the bug on Pepperfry's website, which could have led to the security flaw.

Pranav Hegde @PranavHegdeHere

A major security flaw was detected on online furniture store Pepperfry's website, which could have allowed users to sign in to another registered user's account. Pepperfry has claimed that the bug was fixed within an hour of being detected.

Security researcher Ehraz Ahmed found the bug on Pepperfry's website, which could have led to the security flaw. Speaking exclusively to Moneycontrol, Ahmed said that the bug could allow a user to log into another user’s account and/or create a new account of any user, which does not exist.

The flaw was with the website's 'Internal Authentication' Application Program Interface (API), which allowed users to auto-login. The same API showed personal information of users such as their name, address, contact number etc.

Close

Screenshot 2019-09-06 at 9.06.20 PM

The same bug led to another security flaw that allowed a hacker to change the first and last name of a Pepperfry user, Ahmed claimed.

The first bug led to another bug that allowed the hacker to change a user's first and last name

Here is how the change in name was successfully reflected on Pepperfry's website.

Moneycontrol reached out to Pepperfry to confirm if there was a flaw and the company said: “Protecting customer data is of utmost priority for us. In order to maintain a secure platform as technologies and cyber threats evolve, we conduct security audits, regularly update our security protocols, do not store any customer financial details on our platform and also work with the ethical hacking community to identify and fix any potential issues. We typically fix a vulnerability within a few hours of it being identified.”

The company added that the bug was found and fixed within an hour and that there was no loss of any information, nor was the information of any user a risk.

The bug could have potentially affected over 2 million Pepperfry users had it not been addressed in time. Such flaws have earlier led to massive data leaks wherein personal information of users was breached.

Watch the video below for more:



The Great Diwali Discount!
Unlock 75% more savings this festive season. Get Moneycontrol Pro for a year for Rs 289 only.
Coupon code: DIWALI. Offer valid till 10th November, 2019 .
First Published on Sep 6, 2019 09:55 pm
Loading...
Sections
Follow us on
Available On
PCI DSS Compliant