While mobile applications of ride-sharing and travel services offer convenience to users, they can pose a security risk too. Recently, researchers have found numerous travel apps, popular among the users, exposing user data publicly.
Ride-sharing and Travel Apps Exposing User Data
Researchers from PrivacySavvy have recently shared details of their findings regarding vulnerabilities in numerous ride-sharing and travel apps. They found multiple server-side vulnerabilities affecting popular travel apps that are exposing user data publicly.
As elaborated in their post, they tested the security status of 20 different “world’s leading” travel apps in their study. And what they found is a sheer absence of even the basic security measures to protect users’ data.
This lack of basic security measures in traveling apps is not only shocking but also shows a total disregard for standard security practices these apps say they carry.
This is a rather alarming finding since these apps roughly boast over 105 million downloads collectively. That means the security lapse has risked at least 105 million customers.
In response to our query, the firm told that a majority of the impacted users are from Asia. Other affected users belong to the US, UK, Germany, Netherlands, and Poland as well.
For now, PrivacySavvy hasn’t disclosed the names of the vulnerable apps as the bugs are yet to be fixed. Hence, disclosing the name at this time can potentially trigger exploitation by the threat actors, in turn, risking millions of customers globally.
However, they have explained the problems.
Briefly, they found the vulnerabilities in the subdomains of those apps that exposed the data. Thus, it becomes possible for an adversary to exploit the bugs and pull the .git directory that includes sensitive data. This can even lead to a full database compromise.
Explaining the impact, PrivacySavvy stated in their post,
An attacker gaining such information could perform sophisticated attacks with these SQL queries leading to SQL Injection and full compromisation of the database putting thousands of users at risk.
The researchers have responsibly disclosed the issues to the respective database owners. However, many of the apps are yet to address the issue.
Until then, what users may do, as advised, is to ask the relevant ride-sharing and travel apps that they use about their data security practices. This is something users should always look up for before downloading and using an app.
Whereas, for the database owners, the researchers have emphasized on the database security best practices that should remain in place. These include deploying access rules, protecting the subdomains as well, keeping the sensitive systems off of the internet, and never storing .git on production servers.
Let us know your thoughts in the comments.