OYO Exposes customer data due to a flaw in its infrastructure which can be exploited by an attacker to extract users’ personal information used for room bookings.
According to Jay Sharma, “who reported the bug to OYO, the http & ssh ports were open on the server with no rate limit for the IP which was hosting this.”
Taking advantage of this he launched a brute force attack by executing the captcha which has a random 5 digit number. Upon a successful brute force attack, the entire historical data was accessible.
“The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts,” Sharma said.
The issue has been reported to OYO and the hospitality company offered a bounty of Rs 25000. OYO not yet officially announced that the issue has been fixed.
OYO spokesperson said that “The equipment which is susceptible to brute force / DDoS is the property of third party vendor, it’s being owned and maintained by them. We are actively engaged with them to fix the vulnerability on priority but considering distributed deployments, it will take some time to fix it.”
OYO said in a statement that they are also to launch Bug bounty programs like other tech companies. Sharma also advises security researchers to wait for OYO’s bounty program to come out.
Until the issue completely fixed it’s better to avoid login with the portals, to secure your details.