Flexible workspace solutions company WeWork India has fixed a security lapse that exposed wide range of personal data of customers, including e-mail addresses and selfies.
The issue was initially brought to light by security researcher Sandeep Hodkasia, who found that the company’s check-in app, available on their website, had a bug that allowed anyone to access user check in data by increasing or decreasing the user’s sequential user ID by a single digit.
Since WeWork’s check-in tool, which is used by thousands of customers across multiple sites across the country, is not built on an internal network, anyone on the internet could use this bug to access user data including names, phone numbers, email addresses, and selfies. Hodkasia said that the app lacks any active measures to prevent this security lapse.
WeWork India spokesperson Apoorva Verma confirmed to TechCrunch that the app indeed “had a bug that allowed unintentional access to the basic visitor information.” Verma also added that recent changes have “mitigated” the exposure. Following TechCrunch’s report, the check-in tool was removed from WeWork India’s website.
WeWork did not comment on weather the company plans to inform the users whose data was exposed about the situation. WeWork becomes the most recent name in a disturbingly long list of Indian cybersecurity breaches, which also includes a recent leakage of Aadhar Data in June, which happened at the PM-Kisan government agency. In 2019, an OYO property’s booking details were leaked through it’s WiFi login page.