API Vulnerability: Bullet

Dodged

Whats
Zomato

Zomato is an online restaurant search and

discovery service providing information on home
delivery, dining-out, cafs and nightlife in cities of
India and 21 other countries.

The site has an Alexa rank of 1,210 in the world

and 146 in India
as of June 2015.

Features:

Find the best restaurants nearby

Detailed restaurant info, and thousands of

scanned menus

Follow foodies for trusted reviews

Create your own personal food diary

Mobile
Reputation
Protection
Suite

Zomato
Statistics

Mobile
Reputation
Protection
Suite

Presence in 106 cities across 13

countries

Approximate user base of 62.5

million

Base of 255,700 restaurants on

their portal.

Hack
Details

While creating an account, a user can store his phone

number, addresses, date of birth, link Instagram
account etc. In one of the API call, the user data was
reflected based on the "browser_id" parameter in the
API request.

Changing the "browser_id" sequentially resulted in

data leakage of other Zomato users.

The data leaked also had Instagram access token

which could be used to see private photos on
Instagram of respective Zomato users.

Mobile
Reputation
Protection
Suite

Vulnerability
Details

Mobile
Reputation
Protection
Suite

Insecure Direct Object References occur when an

application provides direct access to objects based
on user-supplied input.

As a result of this vulnerability, attackers can

bypass authorization and access resources in the
system directly, for example database records or
files.

Resources can be directly accessed by modifying the

value of a parameter used to directly point to an
object.

Resources can be database entries belonging to

other users, files in the system, and more. This is
caused by the fact that the application takes user
supplied input and uses it to retrieve an object
without performing sufficient authorization checks.

Vulnerable
Endpoint

Mobile
Reputation
Protection
Suite

POST/v2/userdetails.json/XXXXX?
&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWv
L+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1
Accept: */*
Content-Length: 214
Accept-Encoding: gzip,
deflate X-Zomato-APIKey: XXXXXXX
Content-Type: application/x-www-formurlencoded User-Agent: Zomato/5.0
Host:
1api.zomato.com
Connection: KeepAlive Cache-Control:
no-cache
lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q
%3D&client_id=Zomato_WindowsPhone8_v
2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA
%2520Lumia%2520102 0&access_token=xyz

Ease of
Exploitability

You can easily get userid of any zomato

user by visting their profile. They are
public and appended to your profile url.

This bug was responsibly disclosed to

Zomato and was fixed within few
minutes by the engineering team.

Mobile
Reputation
Protection
Suite

About The
Hacker

Anand Prakash is the man behind the

discovery and reporting of this
vulnerability to zomato.

He is currently working as a security

engineer at Flipkart in Bangalore

His past experience includes working with

Haryana
Police
in
cyber
crime
investigation and Penetration testing at ebilling solution.

He works as a network engineer in well

known
telecom solution provider.

Mobile
Reputation
Protection
Suite

Disclosure
Timeline

Mobile
Reputation
Protection
Suite

June 1, 2015 09:29 PM : Report sent to Deepinder Goyal, CEO

June 2, 2015 12:54 PM : Added Gunjan Patidar, CTO and Shrey Sinha to
the mail thread

June 2, 2015 1:04 PM : Bug acknowledged by Gunjan Patidar

June 2, 2015 2:01 PM

Patidar

: Confirmation of vulnerability fix from Gunjan

Whats
Appvigil

Mobile
Reputation
Protection
Suite

Appvigil, an integrable Mobile Reputation Protection

Suite for Mobile Apps

Ho
w?

Mobile
Reputation
Protection
Suite

Appvigil is an automated cloud based Mobile App security scanner

which enables
enterprises identify security vulnerabilities & loopholes in their mobile
apps and fix them
Helps you locate the exact security bugs in mobile apps

Static
Analysis

Bytecode structure of
the app is analyzed
to look for
any
vulnerable
connection

Dynamic
Analysis

Run time behaviour of an

app is tested against the
vulnerabilities in emulated
hacking environment

Network
Analysis

Capturing all communication

packets that the app
functions with complete
request response details

Reach
us

|
A Product
by

Email:
hello@appvigil.co
Web:
appvigil.co FB:
fb.com/appvigil
Twitter:
@appvigil_co

Mobile
Reputation
Protection
Suite