WeWork India has fixed a vulnerability that exposed personal information and selfies of tens of thousands of people who visited co-working spaces at WeWork India.
security researcher Sandeep Hodkasia It found visitor data leaked from the WeWork India website check-in app, which visitors use to log in at dozens of WeWork India websites across the country. An application error means that any visitor’s check-in history could have been accessed by increasing or decreasing the serial user ID by one digit.
Since the check-in tool was Internet-facing, the bug allowed anyone on the Internet to cycle through thousands of records and reveal names, phone numbers, email addresses, and selfies. Hodkasia said there are no clear controls to prevent someone from accessing the data in large quantities.
None of the data is encrypted.
Hodkasia described the error to TechCrunch, which replicated and confirmed his findings, and relayed the information to WeWork India.
When reached by email, WeWork India spokeswoman Apoorva Verma confirmed that its website “had a flaw that allowed unintended access to basic visitor information”. The check-in app was pulled from the site shortly after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of moving our website,” and that recent changes have “mitigated” exposure.
It is not known exactly how many visitor information was disclosed or for how long.
When asked if there are any plans to notify those whose information has been disclosed, WeWork India spokeswoman Sweta Nair was asked. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of discovery, have not yet come into effect, yet delay in laying down the rules.)
WeWork India joined a group of Indian companies and organizations last year that suffered a misstep in cybersecurity. In 2020, during the height of the COVID-19 pandemic, India’s largest cellular network, Jio, disclosed a database of coronavirus self-test symptom checker results on its website. Earlier this year, India’s Central Industrial Security Force left a database full of network records exposed to the Internet, allowing anyone to directly access internal files on the CISF’s intranet. And in June, TechCrunch reported the latest leak of Aadhaar numbers involving millions of farmers in India, thanks to a vulnerability in Prime Minister Kisan’s government agency.
To contact the Security Bureau, you can message Signal at +1 646-755-8849 or email email@example.com.