A cyber-security researcher named Jay Sharma has reported an alarming security breach in OYO through LinkedIn. Jay has posted on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the WiFi. Why should anybody in the room be forced to share personal information via OTP (one-time password) verification to use WiFi?”
“I researched more and found that the http & ssh ports were open, with no rate limit for the IP which was hosting this. Captcha was a 5-digit number generated by math.random(),” he wrote. “I created a way to brute force the login credentials while executing the captcha. Once login was brute-forced, all the historical data dating back to a few months was accessible.”
Oyo has reportedly offered to pay Sharma Rs 25,000 for reporting the vulnerability. Apparently he had used OYO for the first time in his life when he noticed a flaw like this.
When the issue was brought to OYO’s concern, it said that the vulnerability was limited to a single property and was fixed immediately. “We employ and invest heavily in the best in industry cyber security mechanisms including in-house security operation centres, internal and external vulnerability scans and network penetration tests, training developers on secure development practices amongst others,” an Oyo spokesperson said in a statement. “Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” the spokesperson added.
Reportedly, the security breach could include leakage of important data like booking IDs, phone numbers, the number of people staying in a room, the date of booking and location. Sharma also warned users not to login till “Oyo announces officially that they have fixed this issue.”
Following this issue OYO has remarked, “We are also in the process of developing a full-fledged bug bounty program, in step with the best practices at all premier tech companies, to continue to encourage more and more independent security researchers.”
OYO had once boasted its privacy management system by saying, “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy.” However as expected after this flaw in its service the huge startup has faced criticisms from netizens all around the world.
“Security” is of prime concern nowadays. Our “data” is the biggest business a company can trade with. Google has faced charges due to security flaws, Facebook went down the same slide a few months back, even Whatsapp updated their end-to-end encryption to ensure perfect security of users’ data.
OYO Rooms is the third-largest hospitality chain of leased and franchised hotels in the world. Over a small span of 6 years, this startup has spread its business across countries like Malaysia, UAE, Nepal, China, UK, Philippines, Japan, Saudi Arabia, Indonesia, Vietnam, United States and more. Needless to say this venture has bagged investors like SoftBank Group, Greenoaks Capital, Sequoia India, Lightspeed India, Hero Enterprise, Airbnb and China Lodging Group.
