A Security researcher has discovered a critical vulnerability in the iOS application of Indane LPG exposing personal details of customers and distributer.
Indane LPG is one of the leading domestic LPG providers in India owned by Indian Oil Corporation Limited.
According to the security researcher Sreekanth Pillai, the breach has exposed sensitive details of at least 7 million customers and distributors.
The broker Access Control vulnerability in the API Endpoint of the app gave unauthorised access for attackers to modify data.
“The API Endpoint was vulnerable to Broken Access Control vulnerability. On accessing my profile section within the application, a POST request was sent to the backend server with my user id, deviceID and Base64 encoded access_token.” said the researcher to GBHackers.
The vulnerability allowed the attacker to view and access:
- Personal data of every Indane LPG customers and modify it
- Distributors bank details
- Access online order history of customers
- Book a new LPG cylinder
- Make changes on subsidy request without user consent
The personal details exposed includes Consumer Number, Consumer Name, Postal Address, Personal Email Address and phone numbers of every Indane consumers.
The distributor’s bank details exposed includes name, bank name, account number, IFSC code, email and the phone number linked with the bank account.
When the user accesses their profile, the apps send a Post request along with a user id to validate the user.
The researcher was able to access information about other indane consumers by modifying the value of “userid” incrementally.
Researcher notified National Critical Information Infrastructure Protection Centre (NCIIPC) about the vulnerability on March 29, 2019, and both iOS and Android apps were removed immediately.
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild