The websites Vero Moda, Jack and Jones, Only and other bestsellers in India had a security flaw that allowed user accounts to be hijacked by anyone who simply knew the target email ID used to register. This in turn will display information such as the delivery addresses of the user, his full name and phone number and all credits stored on the sites. Although this information may not bother you, such data is actually extremely valuable and is also often used in phishing attacks to pretend to be a real business and to defraud you of money. After Gadgets 360 raised the issue with the company – a year after the security researcher did – the flaw was finally fixed, so customer data is no longer available, but the company did not share details about how long the data was exposed to customers.
Security researcher Sayaan Alam wrote to the company’s executives in September 2019. At that time, Alam wrote on Twitter to the company’s CEO and was asked to send an email. Alam then sent a report of the problem to the company’s CEO and received it tweeting in response to the Vero Moda India account, which stated that it had “forwarded this to the relevant team”.
In emails reviewed by Gadgets 360, Alam explained that he had conducted security tests and found a bug that could allow Vero Moda, Jack and Jones and Only India to take over accounts. He asked to be contacted by the company’s technical director.
More than a year later, Alam said he had not received any additional information from the company as long as the error remained active. In December, Alam contacted Gadgets 360, and by creating a bogus account with secret details, we were able to confirm that Alam could actually take over an account if he was aware of the email ID used to register.
Given the widespread use of e-mail identification numbers, it would not be difficult for someone to obtain someone’s e-mail address and then use it to obtain other details, such as a person’s home address, compromising their safety and security.
In chats with Gadgets 360, Alam explained that “he doesn’t want to make the issue public while the bug is still active, as this could put user accounts at risk.”
Gadgets 360 then contacted the company and exchanged emails with its chief information officer, Ranjan Sharma, who responded quickly and gathered information about Alam’s findings. After learning the details, Sharma replied that he would “check.” A week later, when asked for updates, Sharma replied that the bug had been fixed.
“First of all, let me thank you for letting us know,” he said in an email. “We did a deep dive and found a problem with the version of our system and therefore the exchange of tokens was missed, which we decided the same day. We also work on a plan to connect with our registered customers. “
At this point, we looked for information on how many customers use the site and whether the company has an error program to encourage security researchers to report. However, Sharma did not share any answers after that and it is not clear if any users were informed – the test account we created did not receive any updates for violating his information – three months after revealing the problem to the company and fixing the error.
Sharma and Bestseller reacted quickly when they contacted Gadgets and resolved the issue after it was discussed, which is a positive development. However, the lack of communication with consumers is an area that can certainly be improved.
The error in question, as demonstrated by Alam, was relatively simple and it is possible that a number of user data could be compromised by this shortcoming. However, this is in line with the ongoing problem in India, where security researchers are actively discouraged from exploring vulnerabilities in online systems – and consumers are rarely, if ever, told about problems unless the issue becomes publicly available from other sources.