Ola Cabs Hack: An AnalysisSecurity Experts Weigh in on Latest Disclosure
Breach disclosures in India are picking up. Early last month, ISMG broke a significant story on data exposure being inadvertently committed by Meru Cabs. [See: Meru Cabs: Customer Data Exposed] A couple of weeks later, we had the compromise at the Times Group's streaming music service Gaana.com - 10 million records were compromised by a Pakistani hacker.
See Also: Passwords Alone Aren't Enough
And just this week, I was made privy to a disclosure on Reddit by a group calling themselves 'TeamUnknown,' who claimed to have hacked into the servers of Ola Cabs, a popular Indian online taxi aggregator. The group claimed to have gained access to Ola Cabs' Database, which they say "was like winning the lottery, as it had all user details," including credit card transaction history. The attackers, however, said early on that this was a development server that was penetrated. They also claim that Ola did not heed their communication regarding the vulnerability.
Publishing that credit cards have been exposed without bothering to ascertain facts is - to say the least - reckless.
There is no evidence that suggests customer data on live production servers has been compromised. But this did not deter several media outlets from immediately publishing that Ola Cabs had been hacked. Most outlets directly published the claims in the disclosure without apparently crosschecking the information. Thankfully, they remembered to add the word "allegedly," giving themselves maneuvering space if they got anything wrong.
Not to put too fine a point on it, but publishing that credit cards have been exposed without bothering to ascertain facts is - to say the least - reckless.
Doubts as to whether any compromise took place were laid to rest in an official statement released by Ola
"The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs," Ola says in its official statement. "The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes." Ola claims categorically that no security lapse whatsoever has happened to any user data.
Ola was not forthcoming to ISMG's request for specifics, which yielded the same stock statement from its PR machinery. The statement establishes one thing however: Something was compromised, albeit the test/development server. Experts also agree that the data exposed looks to be dummy data. Which means, no credit cards, no transaction history, and no vouchers - not useful ones anyway. A source in Ola confirmed to me that it was indeed the staging servers that were compromised.
Ola Cabs has been in the news several times this year for security lapses. Earlier this year, the Business Standard reported vulnerabilities with the Ola cabs app, which have since been addressed. The proof of concept video can be seen here.
In this case, we only had attackers' word on Ola's server being pwned, with scant details. The attackers presumably posted on Reddit after not receiving any response from Ola. A clear message here for companies who are being similarly contacted: Ignore at your own peril. Responsible reaction begets responsible disclosure.
What Might Have Happened
Given the scant details shared by the group, let's look at what we can surmise from the disclosure post.
On the face of it, several experts I consulted aren't sold on the 'alleged' hack. The sample screenshots shared by 'TeamUnknown' showed data dating back to 2011. Moreover, the attackers seemed to have taken screenshots from the MySQL console, indicating they had a significant level of access, giving the impression that this might have been an inside job, with someone posting an old data dump and claiming a hack. However, it seems console access is possible in several cases.
Lavakumar Kuppan, author of the open source automated vulnerability assessment tool IronWASP, says it is possible that the attackers may have been scanning the IP address ranges that belong to Ola and so picked up the development web and/or MySQL database server when they were connected to the Internet.
Either the MySQL service was directly exposed to the internet or it was accessible after compromising the development web server using a method known as "port forwarding," he says. This would explain the console screenshots, he speculates. This theory also fits in with Ola's statement about the testing environment being attacked when it was exposed.
However, the implications of the development server being compromised are not cursory, as Ola would have us believe. For one, the production environment likely mimics the staging environment to a great extent, which means that the same vulnerabilities might exist there as well, Kuppan says. Not to mention the attackers getting a good idea of how the production environment might be structured.
The second big issue is that Ola seems to be storing passwords hashed using MD5 - a very weak and easy to break algorithm - as seen in the screenshots. If the production systems use MD5 as well, that would be poor security practice, he says.
Aditya Gupta, Founder & CEO of Bengaluru-based AppSec firm Attify Inc, the firm that disclosed the previously mentioned vulnerability in Ola's mobile app, agrees. The staging servers should have been better protected, he says. A company saying that the staging server getting compromised is not a big deal is clearly not taking security as seriously as it should, especially given its previously poor track record in security.
More clarity from 'TeamUnknown' is welcome, and let's hope that this time Ola - and other organizations that are equally vulnerable - takes the disclosure more seriously. The quality and maturity of disclosure practices and the subsequent response vary greatly in India, indicative of the market's maturity. But the landscape is changing fast. Organizations need to refine their abilities to respond to such incidents quickly, thoroughly and accurately - and so do my colleagues in the mass media.