Online restaurant review site Zomato Media Ptv Ltd, the owners of the service previously known as Urbanspoon, have been hacked by a white hat who thankfully for Zomato contacted them with details of the vulnerability.

Along with private user details of Zomato users, the exposed data also included Instagram access tokens, which would give access to private photos on Instagram.

The hacker, who goes by the name Anand Prakash, published the details of the vulnerability on his Blogger blog, detailing how it works:

While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the “browser_id” parameter in the API request. Interestingly, changing the “browser_id” sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

He goes on to explain how Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input.

“As a result of this vulnerability,” he notes, “attackers can bypass authorization and access resources in the system directly, for example database records or files.”

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

The good news is that after the discovery Prakash contacted Zomato with the details, and he claims that it was quickly patched.

Timely reminder

While Tech In Asia claims that this case, along with others may be representative of Indian startups taking security for granted (possibly an exaggeration) it is a timely reminder for companies globally to take more care when it comes to security, particularly companies such as Zomato who have tens, sometimes hundreds of millions of registered users.

That said, Zomato failing to protect against an Insecure Direct Object References hack is lazy to say the least, and it’s a problem that companies were experiencing ten years ago, and shouldn’t be in 2015.

At the time of writing Zomato has not publicly commented.

Image credit: adulau/Flickr/CC by 2.0