How I found Swiggy partners data breach?
I am at the office, it’s Friday evening and it’s time for me to go home but I was waiting for my friend to come. And in the meanwhile, I was looking into LinkedIn user feeds about swiggy. I thought “let’s hack(ethically) swiggy today” so the first step for hacking is always to know more about your target, collect as much information about your target. So I started the reconnaissance, I always start with Shodan(Search Engine), here I found some juicy stuff about swiggy i.e compromised elasticsearch instance with 9 giga bytes of swiggy logs. And I started digging deeper into it. And I found many indices(called tables in traditional database). I kept digging into each index and there I found swiggy logs related to login failures of swiggy partners and PoS(point of sale) related logs. In swiggy partner related logs I have seen plain text user IDs and passwords. I tried one of the user credentials to log into swiggy partner account and it worked(Hurray!!) and started checking other few credentials and it worked. And later I have written a python script to find how many of these credentials are working i.e legit ones. I found more than 50% percent of these credentials are legit ones.
PoC video below
So my next step is to create a report of this data breach and report to Security@Swiggy. Later in the evening I have created a detailed report and PoC about the issue and reported to Security@Swiggy. And it’s been more than a month and they didn’t resolve the issue. And the compromised elasticsearch doesn’t belongs to swiggy. It is obvious that the elasticsearch instance that I found belongs to some attacker. I anticipate that attacker might have created backdoor for swiggy partner login API and kept logs to track login failures of swiggy partners and saving it to elasticsearch index.
Note: I am not sure whether the elasticsearch instance belongs to Swiggy or attacker. But as per the conversation with swiggy they claim that the open elasticsearch instance doesn’t belongs to Swiggy. Maybe they were afraid of the GDPR ……. !
Timeline
- Reported the data breach to Security@Swiggy Jan-31-2020
- Followup on Feb-4–2020. Swiggy has started investigating the issue.
- Next, follow up response from Swiggy. Security@Swiggy is still investigating the issue. Feb-7–2020
- 3rd followup response from Swiggy. Security@Swiggy found that data compromised belong to swiggy partner users and they Identified that compromised elasticsearch instance doesn’t belong to them. Feb-11–2020
- I have followed up swiggy multiple times regarding the issue and public disclosure of the data breach and they stopped responding to my emails.
- Finally, the attacker removed the open elasticsearch instance. Mar-26–2020
I thought it’s time to blow the whistle and let the users know that their data is been compromised.
