KARACHI: The January-14 security breach that Careem reported on Monday might have been averted had the company paid attention to repeated warnings by Pakistani security researchers who made multiple attempts to highlight the vulnerabilities in the application of UAE-based ride-hailing giant.
The actual breach, according to Careem, occurred in January this year, but the company’s app was vulnerable to such an attack since as far back as November 2016, Profit has learned through interviews of industry sources.
In November 2016, Shahmeer Amir, a bounty hunter notified Careem on Twitter that he has found some security flaws in their system but apparently didn’t earn any attention. A few months later, Daniyal Nasir, a Karachi-based application penetration tester was able to access data of Careem captains and customers. The information he was able to access include live location of cars, vehicle registration numbers, ID card numbers, phone numbers, pictures, emails etc for users in both Pakistan and Dubai.
Nasir teamed up with Securitywall, a team of professional bounty hunters, and tried to contact Careem so he could help them fix the flaws and earn a bounty – a typical practice for ethical hackers, also known as white hats, who make a living out of penetration testing on various internet platforms.
“Between April 2017 and June 2017, I tried to contact Careem multiple times using emails, social media and chats, but earned no response,” Nasir told Profit.
The white hat explained that he, along with his friends from Securitywall, reached people from Careem’s sales, technology and engineering departments and even contacted their country head Junaid Iqbal. However, the company didn’t seem interested in taking him on board. Later on, they learned Careem fixed some of those bugs one by one. However, he maintained Careem was still not fully protected.
Could they avert this attack, had they paid attention to what you highlighted, we ask him? “Absolutely!”
The security breach at Careem, in which data of 14 million users was compromised, could be averted if the company paid attention to these hackers’ correspondence, which even highlighted how Pakistani startups were compromised by ignoring similar warnings in the past.
In an email to Careem, Securitywall’s team mentioned that Daewoo, a transport company; Zameen.com, a property portal; and Pakwheels.com, an automobile portal was also warned about vulnerabilities in their apps before they were hacked.
Zameen.com was hacked in May 2016 and hackers even put the data – user names, encrypted passwords, email addresses, phone numbers and other sensitive information – online for anyone to download before the company sprung in action and removed it. Later in December, Pakwheels.com was also hacked and data of over 600,000 registered users was compromised, exposing users’ personal information. In both cases, these hackers had warned these companies of security flaws, but they didn’t listen. In case of Daewoo, they went a step further by penetrating the company’s booking portal and used it to their advantage – they travelled free of charge to demonstrate the weakness in the company’s cybersecurity.
“This time our team has found some issues in Careem app, which can lead to some captains, customers’ data leak and some other major issues. So, we don’t want Careem to be the victim of these blackhat hackers,” the Secruritywall team wrote to Careem in the same communique, only to be ignored by the company.
“Unfortunately, many tech firms, especially those based in Pakistan don’t look at the long-term prospects of their business and focus on short-term gains. Therefore, cybersecurity is way down on their list,” information security expert Rafay Baloch said commenting on how things unfolded at Careem. “Had the company spent $100,000 in bounty hunting program, it would have taken care of critical vulnerabilities.”
The ethical hacker went on to say multiple hackers took up the matter with Careem, but they didn’t bother to take them on board and relied on internal security instead. They may have hired reputable consultants for data protection, but it is always a good idea to have a third-party test your app, which they didn’t do, he said.
Giving the example of Uber, Baloch said the company spent $1.4 million on a bug bounty program to help hackers test their app.
Another issue, according to Baloch is lack of compliance and penalization for failure to protect data.
Prior to biometric reverification of SIM cards, Pakistani cellular companies’ customer data was leaked but nobody bothered about it, let alone penalizing the companies, Baloch said. This so important personal information was sold for as low as Rs80, he added.
Compare that to Europe where they have strict regulations such as General Data Protection Regulation (GDPR). If a company that hosts data of EU citizens fails to comply with this law, it can face penalty to the tune of 4% of its global revenue. However, that doesn’t appear to be the case in Pakistan. If there is no threat of penalty, why would they comply, he says.
The breach happened in January and they disclosed it in April, had it happened in the U.S. both the regulator and the customers would have gone after them.
According to GDPR, organisations have to report any data breach to the relevant authorities within 72 hours or have a good reason for failing to do so
When Profit asked Careem about the delay in reporting this incident, the company said, “We recognized that immediate notification could have provoked other criminal activity – so we focused our efforts over the past few months on strengthening our network against further attack.”
However, experts don’t seem to buy that view.
Commenting on Careem’s security breach, Gregg Petersen of Veeam Software told ITP.net that “not alerting customers to the breach for so long ‘isn’t acceptable’, and that organisations need to work faster to maintain the trust of their customers”. Other experts echoed that view.
When asked why they didn’t respond to the hacker’s warning relating to these vulnerabilities, the company said, “Like many companies, we frequently receive messages from independent security researchers on potential technical issues. We do our best to respond to each individual, and we are actively reviewing our process to see how we can work better with this incredibly helpful community.”
Careem further said, “The data accessed in this breach is limited and there is little that can be done with it, other than you receiving an increase in targeted marketing communications. We have seen no evidence of fraud or misuse related to this incident.”
The company’s response suggests minimum damage, but Baloch thinks otherwise. “Cyber-attacks are sophisticated you can’t judge how big the breach is. In many breaches, you can’t even tell what kind of data has been breached and what could be its impact on users,” he said referring to cases where experts discovered that user’s data, which was not reported as part of the breach, was later sold in the market.
The recent breach has put Careem’s credibility at stakes as industry experts attribute this to flawed coding and lack of seriousness regarding cybersecurity. However, it is not the only ride-hailing company that has suffered a breach.
In 2017, Uber paid $100,000 to hackers who hacked the data of 57 million of its users and drivers in an October-2016 attack. Upon disclosure, the company fired its chief security officer.
Along with some other queries, we also asked Careem if it has taken any administrative action or fired anyone from their security team for not fixing the bugs notified to them more than a year ago. “Regarding to the remaining questions we’re limited in the details we can share with you at this point,” it said.