If you are planning to place an order for the world's cheapest smartphone, at ₹251, you should reconsider it. The website of the company, which is the sole interface for purchasing the phone, has abysmal security and compromises user data, including the shipping address.
Today, Freedom 251's website is back and functioning sporadically, taking orders from the users. Yesterday, after crashing for most of the day and failing to redirect users to the payment page, the company had taken down the site for 24 hours.
After resuming the service, however, hardly any issues have been resolved. The site is still inaccessible most of the time. Now, if you try and order from a desktop, it doesn't go through. No validations are in place in the submission form. This means you can enter imaginary states, pin codes, phone numbers, emailIDs and there will be no error while submitting. They have disabled the quantity field though. Till yesterday, you could put '0.5' and get the phone at half the price. Presumably half the phone.
Don’t have enough money for the Rs. 251 phone? Well, you can buy half of it. Even the shipping costs are halved! pic.twitter.com/cyMZbQfAwS
— Ershad Kaleebullah (@r3dash) February 18, 2016
But the real nightmare is in how easy it is to scrape user information from the site.
We tried to place an order from a mobile device and it went through. Now here is a major security loophole that the company needs to fix right away. If you copy the url of the confirmation page with the order id, the same page can be accessed on a desktop or another device without a log-in. This means once you have a url, which has the order id as part of it, you can try changing the order id randomly, and keep seeing the confirmation page of other users. We were able to replicate this step and see other users' information. This page has dangerously personal and identifying information, like the email id and the shipping address!
A hacker can write a relatively simple script and scrape your information from the site, including your home address if that is what you have set as the shipping address. This is a shocking compromise of user information from the company, which claims it is part of the government's Make In India programme.
When a site ignores such basic security principles, it raises doubts about how carefully the site is handling payments information and how secure that might be against a serious hacking attack.
There has been a lot of doubts over the phone. A post by Aamir Siddiqui breaks down the whole saga technically and raises the questions from manufacturing to the security of the phone.
A lot of people are asking how the phone can be so cheap? There are concerns such as whether this phone is safe for use or not as NDTV has pointed out in a report that it has no BIS certification. A report in ET also suggests that the government is keeping a close watch on the phone as there is a huge customer interest at stake.
Clearly, Ringing Bell is failing to meet even the minimum expected security from an e-commerce vendor.
We have informed the company of this security flaw as well.