WeWork India has fixed a security flaw that exposed the personal information and selfies of tens of thousands of people who frequented WeWork India’s coworking spaces.
Security Investigator Sandeep Hodkasia discovered that visitor data came from the check-in app on the WeWork India website, used by visitors to log into the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access any visitor’s check-in record by increasing or decreasing the user’s sequential user ID by one digit.
Because the check-in tool was web-oriented, the bug allowed anyone on the web to browse thousands of records, revealing names, phone numbers, email addresses and selfies. Hodkasia said there were no clear controls to prevent anyone from gaining massive access to the data.
None of the data was encrypted.
Hodkasia described the bug to TechCrunch, which replicated and confirmed its findings, and passed the information on to WeWork India.
When reached by email, WeWork India spokesperson Apoorva Verma confirmed that his website had “a bug that allowed inadvertent access to basic visitor information”. The check-in app was pulled from the website shortly after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website” and that the recent changes are “softening” the exposure.
It is not known exactly how much visitor information was exposed and for how long.
When asked if there were any plans to notify those whose information had been released, WeWork India spokesman Sweta Nair declined to say. (The new data breach notification rules in India, which require companies to notify authorities of a data breach within six hours of discovery, have yet to take effect due to a delay in the rollout of the rules.)
Over the past year, WeWork India has joined a string of Indian companies and organizations that have been ravaged by a cybersecurity slump. In 2020, during the peak of the COVID-19 pandemic, India’s largest mobile network, Jio, published a database of the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force released a database of network logs on the Internet, giving anyone direct access to internal files on CISF’s internal network. And in June, TechCrunch reported the latest release of Aadhaar figures that may have involved millions of Indian farmers, thanks to a vulnerability at government agency PM-Kisan.
To contact the security desk, message Signal at +1 646-755-8849 or email [email protected]