Vero Moda, Jack and Jones, Only, and other Bestseller India websites exhibited a security hole that allowed user accounts to be hijacked by anyone simply knowing the target email ID used for registration. This in turn would expose information such as the user’s shipping addresses, full name and phone number, as well as any credits recorded with the sites. While this information might not worry you, this data is actually very valuable, and this information is also often used in phishing attacks to impersonate a real company and cheat you out of your money. After Gadgets 360 raised the issue with the company – a year after the security researcher did – the flaw was finally fixed, so customer data is no longer accessible, but the company is no longer accessible. did not share details on how long customer data was at risk. .
Security researcher Sayaan Alam wrote to company executives in September 2019. At the time, Alam tweeted to the company’s CEO and was asked to send an email. Alam then sent a report on the issue to the CEO of the company and received a Tweeter in response to the report from Vero Moda India, which said it had “passed this information on to the relevant team”.
In emails reviewed by Gadgets 360, Alam explained that he performed security testing and found a bug that could allow account takeovers for Vero Moda, Jack and Jones, and Only India. He asked to be connected to the company’s CTO.
More than a year later, Alam said he had not received any additional information from the company while the bug remained active. In December, Alam contacted Gadgets 360, and by creating a dummy account with a secret detail, we were able to confirm that Alam could in fact support an account if he knew the email ID used to sign up.
Considering how often email IDs are used, it wouldn’t be difficult for someone to get someone’s email ID and then get other details like their home address. ‘a person, which would compromise their security.
In discussions with Gadgets 360, Alam explained that he “didn’t want to make the issue public while the bug was still active, as it could endanger user accounts.”
Gadgets 360 then contacted the company and exchanged emails with its CIO, Ranjan Sharma, who responded quickly and gathered information about Alam’s findings. After getting the details, Sharma replied that he would “check”. A week later, when asked for updates, Sharma replied that the bug had been fixed.
“First of all, let me thank you for bringing this to our attention,” he said via email. “We did a deep scan and found a version issue with our system and as a result the token swap was forgotten, which we resolved on the same day. We are also working on a plan to reach our registered customers. “
At this point, we asked for information on how many customers are using the site and whether the company has a bug bounty program in place to encourage security researchers to generate reports. However, Sharma did not share any response afterwards and it is unclear if any users were notified – the test account we created did not receive any updates regarding the breach of her information – three months after disclosing the problem to the company and fixing the bug.
Sharma and Bestseller responded quickly when contacted by Gadgets and resolved the issue once it was discussed which is a positive development. However, the lack of communication with users is one area that could definitely be improved.
The bug in question, as demonstrated by Alam, was fairly straightforward, and it is possible that any amount of user data could have been compromised by this flaw. However, this does correspond to a persistent problem in India, where security researchers are actively discouraged from exploring weaknesses in online systems – and users are rarely, if ever, made aware of the issues unless the matter is made public. by other sources.