7 Million Indane LPG Users & Distributor’s Personal Data & Bank Details Leaked Online
Indane LPG exposed nearly 7 Million Customers and distributors sensitive data online due to the serious vulnerabilities that discovered in all the major services that provide by their iOS applications.
Indane is owned by Indian Oil Corporation Limited, which is an Indian state-owned oil and gas company and it is the largest commercial oil company in India and it has a customer base of more than 98 million.
This serious vulnerability leaks various sensitive customers and distributors data including the following,
- Personal data of every single Indane consumer.
- Leak Distributor’s Bank details.
- View the online order history of every single consumer.
- Modify personal data of any consumer limited to Landline and Mobile Number.
- Make any Consumer, Opt Out of Subsidy without their consent.
- Surrender any consumer’s connection thus resulting in the closure of account with Indane.
- Finally, Book a new LPG Cylinder on behalf of any other Consumer.
A broken Access Control vulnerability that resides in the Indane iOS app lead to an unauthorized information disclosure that allows attackers to modify the data.
Sreekanth Pillai, A security researcher who discovered this vulnerability reported GBHackers on Security, “The API Endpoint was vulnerable to Broken Access Control vulnerability. On accessing my profile section within the application, a POST request was sent to the backend server with my user id, deviceID and Base64 encoded access_token.”
Every Indane Gass Customer Data Leaked
During his research, the vulnerability allows him to access any of the Indane customers including,
o Consumer Number
o Consumer Name
o Postal Address
o Personal Email Address
o Landline and Mobile Number
Whenever users accessing their profile in iOS App, a POST request is happening to the following API endpoint:
indane.co.in/mobile_api_coded/show_consumer_profile_secure.php
Along with the post request, the app sends a “userid” to API endpoint to validate the current user.
Here, Sreekanth was able to fetch the information of other Indane consumers by modifying the value of “userid” incrementally.
Leaked Distributor’s Bank details
An option called “LPG Refill Order” in indane iOS applications used by customers to book a new LPG Cylinder.
In order to retrieve the requested information, a POST request is being sent to the following vulnerable API endpoint:
indane.co.in/mobile_api_coded/onlinerefillinfo_secure.php
In this case, “The response for this request displays my distributor’s information but it includes quite a lot of interesting details including the distributor’s bank details linked with Indane”. Sreekanth Pillai stated in the Proof-of-concept that shared with GBHackers on Security.
The sensitive information including:
o Distributor Name as per Bank
o Account Number
o Bank Name
o Bank IFSC
o Email address linked with Bank Account Number
o Mobile Number linked with Bank Account Number
Likewise, all the API endpoints are vulnerable that associated with Indane iOS app that allows virtually allowing me to do anything with any of the 6.7 million consumer’s including the following actions.
- Modify personal data of an Indane consumer limited to Landline and Mobile Number.
- Make any Consumer, Opt Out of Subsidy without their consent.
- Surrender any consumer’s connection thus resulting in the closure of account with Indane.
- Finally, Book a new LPG Cylinder on behalf of any other Consumer.
March 29, 2019, Sreekanth Pillai, Reported to NCIIPC and March 30, 2019 — Indane’s official mobile applications were removed from both Apple and Google’s App Store.
This post 7 Million Indane LPG Users & Distributor’s Personal Data & Bank Details Leaked Online originally appeared on GB Hackers.
