During a recent OYO stay, cybersecurity expert Jay Sharma spotted an issue with the Wi-Fi login system of his hotel.
He noted that the vulnerability can be exploited with a brute force attack to extract data starting from customer Booking IDs and phone numbers to the date and location of booking.
"All the historical data dating back to few months was accessible," he claimed.
What was the issue that exposed this data?
In the hotel, Sharma found that OYO's Wi-Fi login required customers to enter their Booking ID, number.
On digging into it, he discovered that "the http & ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random()."
This allowed him "to brute force the login credentials while executing the captcha".
Here's what he said about danger from the vulnerability
"The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded," Sharma said, adding that "you could compute on the data to extract OYO couples living in a room, phone numbers, social information etc."
OYO fixed the issue after Sharma's report
When Sharma reported the issue to OYO, the company issued a fix for the vulnerability and paid him a reward of Rs. 25,000.
A spokesperson told ET that the flaw was restricted to a single property and was fixed immediately after disclosure.
"Any vulnerability, no matter how limited-time or small is taken very seriously and looked into," the representative added.
Statement from OYO on their security practices
"We employ and invest heavily in the best in industry cybersecurity mechanisms including in-house security operation centers, internal and external vulnerability scans and network penetration tests, training developers on secure development practices amongst others," the OYO spokesperson further added.
Many details still remain unclear, company facing flak
Even though the issue has been fixed, many details remain unclear, including how many customers' information was leaked and if anyone else (before Sharma) had access to this data.
To note, the vulnerability, which risked location and other details of guests, has already triggered a wave of criticism against the company, which has been touting itself as a 'couple-friendly' place to stay.