06/11/2019 7:24 AM IST | Updated 06/11/2019 7:50 PM IST

Spoyl Website Bug Found By 14-Year-Old Compromised Users Numbers, Email IDs

The CEO of Spoyl was alerted of a bug that allowed people to access any users profile in May, but only patched the vulnerability last week.


CHANDIGARH — Do you use Spoyl, a fashion e-commerce platform, to order its in-house apparel brands or curated items from your favourite celebrities? If yes, it is possible that your personal information including your name, mobile number, address, and email ID have all been compromised, thanks to a security flaw on the site.

Spoyl CEO Bhargav Errangi told HuffPost India that the bug has now been fixed; but the high school student who found the bug said the vulnerability was unresolved for months before it was fixed.

Sayaan Alam, a Delhi-based student of class 11, said he contacted the company in  May, and the bug has only been resolved last week. There’s no way of knowing how many people had their data compromised by Spoyl in this way.

According to Alam, the bug  grants customers’ login account access to anyone who knows their email ID—and from there, it’s possible to extract a person’s full name, address, and phone number, apart from their purchase history with Spoyl. This information in turn can leave people vulnerable to phishing attacks.

For the latest news and more, follow HuffPost India on TwitterFacebook, and subscribe to our newsletter.

How did the bug work?

According Alam, the issue lay with Spoyl mis-configuring the Google Sign-in token. Google’s authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a configuration error, users can change their email ID after sign-in is complete, and this gives them access to the other users’ account.

“So when I changed my email with that of the CEO, who had an account on his website, I was granted access to his account by his company’s server,” Alam said. “Also, I managed to gain access to two of the other celebrities  by using their emails available in the public domain.”

The influencers list of Spoyl includes celebrities and top bloggers from the fashion and lifestyle industry. Tamil Superstar Mahesh Babu also launched  his apparel brand ‘The Humbl Co’ exclusively with Spoyl in August this year, giving a platform to his fans who follow Spoyl to buy clothes from his label. 

Sayaan Alam
Screenshot of a video showing Alam gaining access to Siddharth Nigam's account, revealing his address, phone number, and email ID.

Alam said that he gained also access to the accounts of Siddhrath Nigam, an Indian actor who worked in films like Dhoom 3 and also  played the role of Ashoka in a popular TV soap Chakravarty Ashoka Samrat; and the account of model Avneet Kaur too was accessed by him in the same way.

Despite alerting the company officials in May this year, no action was taken into the matter. It was only when HuffPost India contacted Spoyl’s CEO, Errangi, on Thursday, that the bug was fixed.

Not a critical bug, claims Spoyl CEO

“Even though the bug was not critical, we fixed it to provide an  extra layer of security to our customers. Since 95% of our business happens only on our app, which is too secured, the bug has not caused any harm to the privacy of our customers,”Errangi said.

“The hacker used some middle level hacking tool to gain access into our customer’s database,” he said. “Since these two celebrities have advertised with us in the past and their emails too were available in the public domain, it was easy for him to gain access into  these two accounts. However, finding the email addresses of our lakhs of customers is a Herculean task for any hacker.”

Sayaan Alam
Alam was also able to send screenshots with the phone number and email ID of Spoyl's CEO.

Refuting this, Ritesh Bhatia, a Mumbai based cyber crime investigator said that the breach is indeed critical in nature. He added that finding an email address of a person or a database of an e-commerce website is not a difficult task for professional hackers.

“Here, an unauthorised person is able to gain access to a user account just by entering a customer’s email and find his contact number, home address and also view his order history is indeed critical. It seems that company did not carry out Vulnerability Assessment and Penetration Testing (VAPT ) which is a basic security feature for such websites to protect and safeguard the privacy of its online customers,” said Bhatia.

Threat to India’s e-commerce websites goes unnoticed

According to a report published in indiaretailing in March this year, the Indian e-retail is estimated at US $16.3 billion in 2017 and is expected to grow at CAGR of 45 percent to reach US $49.5 billion by 2020.

At present, the e-commerce market is led by electronics category with a share of ~49 percent followed by apparel and lifestyle which is ~25 percent (including footwear, bags, belts, wallets, watches, jewellery, etc.).

Despite the fact, vulnerability in many e-commerce websites gets unnoticed due to lack of knowledge among the online customers, as well as the companies running the websites.