After five days of the Zomato user database was hacked, the food delivery portal gives an explanation on how the hack took place. Zomato has posted a blog on Tuesday night explaining how the hacker got their developer’s credentials from their web hosting services details that were leaked in October 2015. The developer has used same login credentials on Github, a portal that is popular among developers for sharing development codes. Hacker got to a part of the code that this developer had access to and used it to hack the user’s database. Zomato also says that the hacker has breached this last year and just highlighted it now.
Zomato claimed that they had contacted the hacker after finding the username and encrypted or “hashed” passwords of its users for sale on a dark web marketplace for $1000 on May 18. In an official blog the company claimed that the hacker just wanted to highlight the bad security practices and had asked Zomato to set a better “bug bounty” program, where security researchers and White hat hackers are rewarded for showing bugs in the system.
Zomato claimed they agreed to hackers demands and they now took the data off the marketplace. They will also update users about how the hack took place once they fix all the issues that hacker has highlighted.
Zomato founder, Deepinder Goyal said in the blog update “It all started in November 2015, when 000webhost’s user database was leaked online (with plain text passwords). One of our developers had his personal hosting account with the service. As a result of 000webhost’s user account data breach, his email address and password also became available publicly. Unfortunately, the developer was using the same email and password combination on Github,”
Hacker will not be able to access the database without accessing a specific set of IP address defined by Zomato, but the hacker had scanned the code and ended up exploiting a vulnerability in the code to access the database (via remote code execution). The piece of code which was exposed was a part of a system which is not in use and hadn’t been modified for a few years now.
Goyal also mentioned in the blog post that Zomato had made two-factor authentication mandatory on Github a few months back for its employees, which cut off the hacker’s access to the developer’s Github account for updated code.
“Yes, someone has some of our code, and that’s a risk. But we have taken every step conceivable to us to make sure that the code cannot be exploited in any way possible to breach Zomato’s infrastructure. Also, one more thought that gives us comfort – with every passing day, the leaked code is getting more and more out-of-date,” Goyal writes in the blog post.
Zomato says it is now going to invest time and efforts in creating a “working group” of Indian internet companies and exchange knowledge about best practices for information security.
Checkout Latest IT news at itvoir.com
Himani Sharma, From ITvoir News Desk