Back in December of 2020, Cybersecurity researchers Rahil Bhansali and Ankit Pandey revealed that a small flaw in Croma and Tata Sky’s websites exposed sensitive personally identifiable information to scammers even without hacking.
This information included names, addresses, phone numbers, and purchase history — included personal data of celebrities, popular businesspersons, and doctors, among others. Apart from this data, it also exposed transaction and subscriber IDs, and transaction history.
The researchers listed these vulnerabilities on a 2-part blog on Medium.
Bhansali said on the blog post that the vulnerabilities were due to problems with the Application Programming Interfaces (APIs) at both websites. APIs are a way of accessing data within websites and software but are normally not openly accessible.
This data could be used by cybercriminals and hackers to impersonate identities, scamming, and extortions.
By using details such as name, number, and purchase history, a user can be duped into renewing a warranty or applying for additional services on a fake web page, thereby securing the person’s banking or card details, said Sai Krishna Kothapalli, CEO at Hackrew, to the Economic Times.
As to how these loopholes were found, Bhansali says in his article: “My approach in each case has always been (& will continue to be) to understand the extent of the loophole, exhaust every connect to try and bring it to the company’s notice, have them fix it and then write about it so consumers and companies alike can focus on improving their defences in protecting consumer data, privacy and security.”
Tata Consultancy Services, a Tata group company which is the technology provider to Croma, resolved the issue, said three people aware of the matter. Tata Group companies Croma and Tata Sky said on Thursday that they had fixed vulnerabilities in their websites.
