CHANDIGARH — Do you use Spoyl, a fashion e-commerce platform, to order its in-house apparel brands or curated items from your favourite celebrities? If yes, it is possible that your personal information including your name, mobile number, address, and email ID have all been compromised, thanks to a security flaw on the site.
Spoyl CEO Bhargav Errangi told HuffPost India that the bug has now been fixed; but the high school student who found the bug said the vulnerability was unresolved for months before it was fixed.
Sayaan Alam, a Delhi-based student of class 11, said he contacted the company in May, and the bug has only been resolved last week. There’s no way of knowing how many people had their data compromised by Spoyl in this way.
According to Alam, the bug grants customers’ login account access to anyone who knows their email ID—and from there, it’s possible to extract a person’s full name, address, and phone number, apart from their purchase history with Spoyl. This information in turn can leave people vulnerable to phishing attacks.
How did the bug work?
According Alam, the issue lay with Spoyl mis-configuring the Google Sign-in token. Google’s authentication gives a site a unique token, which is used to confirm your sign-in details. But due to a configuration error, users can change their email ID after sign-in is complete, and this gives them access to the other users’ account.
“So when I changed my email with that of the CEO, who had an account on his website, I was granted access to his account by his company’s server,” Alam said. “Also, I managed to gain access to two of the other celebrities by using their emails available in the public domain.”
The influencers list of Spoyl includes celebrities and top bloggers from the fashion and lifestyle industry. Tamil Superstar Mahesh Babu also launched his apparel brand ‘The Humbl Co’ exclusively with Spoyl in August this year, giving a platform to his fans who follow Spoyl to buy clothes from his label.
Alam said that he gained also access to the accounts of Siddhrath Nigam, an Indian actor who worked in films like Dhoom 3 and also played the role of Ashoka in a popular TV soap Chakravarty Ashoka Samrat; and the account of model Avneet Kaur too was accessed by him in the same way.
Despite alerting the company officials in May this year, no action was taken into the matter. It was only when HuffPost India contacted Spoyl’s CEO, Errangi, on Thursday, that the bug was fixed.
Not a critical bug, claims Spoyl CEO
“Even though the bug was not critical, we fixed it to provide an extra layer of security to our customers. Since 95% of our business happens only on our app, which is too secured, the bug has not caused any harm to the privacy of our customers,”Errangi said.
“The hacker used some middle level hacking tool to gain access into our customer’s database,” he said. “Since these two celebrities have advertised with us in the past and their emails too were available in the public domain, it was easy for him to gain access into these two accounts. However, finding the email addresses of our lakhs of customers is a Herculean task for any hacker.”
Refuting this, Ritesh Bhatia, a Mumbai based cyber crime investigator said that the breach is indeed critical in nature. He added that finding an email address of a person or a database of an e-commerce website is not a difficult task for professional hackers.
“Here, an unauthorised person is able to gain access to a user account just by entering a customer’s email and find his contact number, home address and also view his order history is indeed critical. It seems that company did not carry out Vulnerability Assessment and Penetration Testing (VAPT ) which is a basic security feature for such websites to protect and safeguard the privacy of its online customers,” said Bhatia.
Threat to India’s e-commerce websites goes unnoticed
According to a report published in indiaretailing in March this year, the Indian e-retail is estimated at US $16.3 billion in 2017 and is expected to grow at CAGR of 45 percent to reach US $49.5 billion by 2020.
At present, the e-commerce market is led by electronics category with a share of ~49 percent followed by apparel and lifestyle which is ~25 percent (including footwear, bags, belts, wallets, watches, jewellery, etc.).
Despite the fact, vulnerability in many e-commerce websites gets unnoticed due to lack of knowledge among the online customers, as well as the companies running the websites.