Booked your Indian Railways Tickets via this App? Change your password immediately!

Unoffical Indian Railway App developer leaves more than 2 million  user’s details exposed on an open database.

App developer, SmartApps India develops unofficial apps for iOS and Android which allow users to find information like Indian Train timings, and ticket status and allow users to book tickets via the app. They claim to have millions of downloads of their apps across the two platforms.

In September last year, a security researcher found a Firebase database exposed on the internet containing more than 2 Million records containing: Usernames, Plain-text Passwords and Email addresses.  The researcher approached a reporter to see if they could reach the company and report this critical data breach, which was unsuccessful. Subsequently, the researcher approached a security company Dvuln, to help report this issue.

Since the app or site didn’t have clear contact details for reporting security breaches, they took more than a month the establish contact with the company to report the issue. The app developer took another month to lock access to the database and finally locked down the database in early January 2020.

If you have used this app in the past, I’d ask you to change the password for the app. In the rare case you’ve reused the same password on other apps or sites, please go and change those too immediately.

It’s surprising how, in this day and age, app developers, especially ones that boast of more than 10 million downloads, still store customer passwords in plain text and have minimal regard for security disclosures from researchers.

Read my previous note about the other three data breaches in India this year.

Source: Why you should choo-choo-choose to have a vulnerability disclosure policy

Share this article
Prev Post

Three Major Data Breaches in India One Month into 2020

Next Post

[Infographic] Six Apps Your Kids Should Stay Away From

Leave a Reply

Your email address will not be published. Required fields are marked *

Read next
Mastodon