Last month, we discovered security vulnerabilities in 17 Indian startups collectively worth more than $10 billion and almost each of them worth $100m+. The startup includes Ola, Zomato, HomeShop18, BookMyShow and several others. Here is what we learned.
1. Almost every startup here has security bugs.
You might think that a startup running for the last 6 years (if we can still call them startups) would be relatively bug-free. To our surprise, more than 70% of the companies we looked at had severe bugs, either comprising on user personal data or monetary loss to the startup or users. There are startups with dedicated security teams and we were able to discover severe vulnerabilities in them.
2. Bug bounty programs are unknown in Indian startups.
Out of the 17 startups we have contacted till now, only 2 of them offered us bug bounty. Both of them were less than $100. As far as we know, only Ola Cabs and Paytm have a formal bug bounty program amongst the bigger startups. Ola bounties start at INR 1000 ($17) while Paytm has not specified any bounty reward in its program. A formal bug bounty program can go a long way in helping startups secure their systems. Given the lack of formal bug bounty programs right now, a security researcher would just be wasting their time finding bugs in these startups.
3. User data leak is a major problem (apart from payments integration and improper password hashing)
Compensation for failure to protect data. – Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore (ten million) rupees, to the person so affected.
Imagine the scenario if all the three million users whose data were being leaked by startups start claiming compensation under the law above. Many of the startups leak user data somewhere in their API requests due to either a missing authorization token or due to the token not being checked against the current logged in user.
Proper hashing of passwords should be the most fundamental thing to do in a startup since an insecure startup can compromise all your other online accounts that share the same password. We found startups using md5 hash function for saving passwords, some of them using md5 and without salts. One of them even had passwords stored in plain text and was exposing it on a public application programming interface (API) endpoint.
A standard practice right now is to use a slower hash function like bcrypt with specific salts so as to render precomputed rainbow tables useless and make brute force computation slower. Also, most of the forms on startups were missing Cross-Site Request Forgery (CSRF) token and this can lead to grave situations. Almost none of the startups were using modern headers like HTTP Strict Transport Security (HSTS), X-Cross-Site Scripting (X-XSS), Content Security Policy (CSP), HTTP Public Key Pinning (HPKP) etc.
4. Your mobile apps have made you more vulnerable.
A simple fact is that there is no way to avoid reverse engineering of your mobile app. If you are one of those apps that rely on ‘security through obscurity’ and think Proguard or putting your keys in Java Native Interface (JNI) would help keep that secret safe, please don’t. Anything that compromises your security does not belong to the client app, no matter how obfuscated its storage. In fact, we have found bugs in billion dollar startups where they were saving secret keys in plain configuration files.
5. Communicate well with people who help you.
We had mixed responses from startups. While some of them were extremely responsive and responded within a day, others only responded after a series of emails and Whatsapp messages. Some are still yet to reply to our messages and their bugs are out in the open. Your communication says a lot about the quality of your startup and tech focus. We have found a strong correlation between bad communication with us and a projected badly run company. You also never know if the next guy who finds the same unfixed bug would be as kind as to mail you about it before taking all your data to brokers in the gray market.
This post What we learnt by hacking 17 Indian startups worth $10 billion+ appeared first on Tech in Asia.
from Tech in Asia » Startups http://ift.tt/1NVSY7O