Unoffical Indian Railway App developer leaves more than 2 million user’s details exposed on an open database.
App developer, SmartApps India develops unofficial apps for iOS and Android which allow users to find information like Indian Train timings, and ticket status and allow users to book tickets via the app. They claim to have millions of downloads of their apps across the two platforms.
In September last year, a security researcher found a Firebase database exposed on the internet containing more than 2 Million records containing: Usernames, Plain-text Passwords and Email addresses. The researcher approached a reporter to see if they could reach the company and report this critical data breach, which was unsuccessful. Subsequently, the researcher approached a security company Dvuln, to help report this issue.
Since the app or site didn’t have clear contact details for reporting security breaches, they took more than a month the establish contact with the company to report the issue. The app developer took another month to lock access to the database and finally locked down the database in early January 2020.
If you have used this app in the past, I’d ask you to change the password for the app. In the rare case you’ve reused the same password on other apps or sites, please go and change those too immediately.
It’s surprising how, in this day and age, app developers, especially ones that boast of more than 10 million downloads, still store customer passwords in plain text and have minimal regard for security disclosures from researchers.
Read my previous note about the other three data breaches in India this year.
Source: Why you should choo-choo-choose to have a vulnerability disclosure policy