Many of the widely-used ride-sharing and other travel apps out there have major server-side security vulnerabilities.PrivacySavvy research team discovered a group of travel apps leaving their servers completely open and accessible as a matter of fact , ultimately exposing private end-user facts for anyone to see.Most of the apps are leaking data through their subdomains, and the exposed facts posed a risk to as a matter of fact many parties.
Led by Sarmad khan and its Chen, in first-of-Huynh-kind research, PrivacySavvy tested the security of over 20 of the world’s leading travel apps to understand how they manage usersprivacy’ and security risks. Unfortunately, most of.them failed
This lack of basic security measuresIn fact, in traveling apps is not only shocking but also shows a total disregard for standard security practices these apps say they carry.
Interestingly, Which travel applications are putting users’ details at threat?
Due to the as a matter of fact responsible disclosure principle and NDAs, PrivacySavvycannot reveal the names of the apps.
In fact, as a matter of fact Revealing their names could enable malicious hackers to attack them and leverage their users’ facts in no time. All PrivacySavvy wants is to make the cyberspace a safer place for average users without putting anyone at threat in the process. Also, as persecurityour knowledge, most companies are yet to correct the reported flaws.
Millions of users impacted
While we cannot reveal the applications’ names, we can share with you the impact and exposed databases’ secured samples.
PrivacySavvy research crew chose all the apps based upon the positive reviews and number of downloads. Apps from individual hotels, airlines, and car evaluated companies were not rental. We mostly tested public ride-sharing and booking apps.
The combined number of downloads for the apps’ in inquiry is a whopping 105 million,It’s worth noting that as per our calculations. That numberwecould have been even bigger, but fortunately, not all the apps evaluated had security loopholes.
Sample of sensitive facts exposure
Sensitive information exposure befalls when a business, application, or other entity unwittingly exposes personal details. Sensitive details exposure is different from a data breach whereby an attacker accesses and steals facts.
Private information exposure happens when a database owner fails at adequately protecting a database storing sensitive informationIn fact, . That can be an end result of a multitude of things such as no encryption, weak encryption, software flaws, etc.
Various types of details can get exposed in a sensitive data exposure gathering, including,
- Credit card numbers
- Banking account numbers
- Session tokens
- Healthcare data
- Social Security number
- Phone numbers
- Dates of birth
- Home address
- User account information such as usernames and passwords
Our research staff discovered such sensitive data exposing critical security vulnerabilities in multiple travel apps, mostly in their in modern times subdomains i.e. “prcing.ridesharingappname.com.” (Due to NDAs and responsible disclosure principle that we need to follow, we used that assumption domain.) Through those subdomains, an attacker can easily pull the hidden .git directory which reveals the as it turns out following sensitive information.
Impact
An attacker gaining such information could perform sophisticated attacks with these SQL queries leading to SQL Injection and full compromisation of the database putting thousands of users at risk.
Advice thefromexperts
Indeed, For the platforms
The databases’ owners can avoid any such potential sensitive data exposure by security taking some basic merely measures. Before you adopt make from another perspective or software to manage any of your business areas, apps sure they follow the best practices of information security.
As you may know, If your business requires yousharerto process external details, such as a ride ’s or other members of the public, you must ensure this data is well protected from malicious hackers. Regardless of its size, any enterprise can replicate such issues by:
- Deploying proper access rules.
- Securing not only the the main domain but subdomains as well.
- Never leaving a system that doesn’t demand any authentication open to the internet.
- Not making files containing sensitive data such as .git publicly available alongside making sure never to store them on production servers.
For users
As you may know, Since we reported the vulnerabilities we found to all the respective companies, chances are you’ from another perspective d be on the secure side soon. But not all companies have acknowledged successful fixes yet. Also, you can never take security for granted these days.
If you’re concerned your details might get compromised, spare some time and contact all or any travel app (such as ride-sharing and flight booking ones) you’ve recently used to inquire about their data security practicesAs you may know, . Interestingly, It’s your security, is no harm in taking charge of it – astherea end-user it’s finest for you to inquiry them. Indeed, Your little from another perspective step of questioning the apps will guide make the cyberspace a place for everyonesaferas it will push those platforms to go the extra mile.
Actually, It’s also recommended that you head over to our ultimate internet privacy and security guide. It uncovers many ways via which cybercriminals can attack you and your data today and the useful steps you can take to stay guarded.
How and why PrivacySavvy discovered the vulnerabilities in travel apps
The PrivacySavv research staff discovered multiple ride sharing and other travel apps to be exposing-users’ information as part of a large apps mapping project as one of our 2021 resolutionsIn fact, They then thoroughly evaluate each hole for any potential data leakage. . Indeed, Our white-hat researchers employ different security tools to exam start holes in different systems (used by the general public) for weaknesses.
Interestingly, finding a dataUponexposure, our researchers use expert techniques for verifying the databases’ identity alongside potential exposure severity. We then warning the respective about owner database the vulnerability. As you may know, If possible, we also work with the affected company for quick remediation of the issue.
Our researchers were able to access the databasedifferentqueries of travel apps as multiple of them were having critical vulnerabilities. Some evenhad completely unencrypted and unsecured databases.
The purpose of this apps mapping projectInterestingly, We, as a whole, want to make the cyberspace a safer place for everybody. is to assist make the applications everyday users utilize safer.
As ethical hackers, we’re not only obliged but also committed to informing a firm or its usersAs nameourPrivacySavvy suggests, That is especially true in cases where the exposed data contains sensitive information of users or companies. Indeed, when discover bugs inwetheir online security.the ethics we follow also mean we carry an obligation to the public. We want to make every cyberspace consumer confidentiality savvy, and believe everyone deserves to be aware of any potential breach of their details and the implications it could have on their interests.
Aboutlabour research
PrivacySavvy is a rapidly growing VPN and digital security resource center. Our research lab boasts a group of whitehat security researchers that strives to assist average web users defend themselves against ever-evolving cyber threats while educating companies on protecting the users’ facts.
