Search This Blog

Oyo Leaves Customers’ Confidential Data Unprotected Due to a Security Flaw

A cyber security researcher, Jay Sharma found a security flaw in Oyo Rooms' service which exposed confidential data of people availing the service.


The world’s third-largest and fastest-growing hospitality and homestay chain, Oyo is reportedly leaving its customer data unprotected, which makes it vulnerable to a breach due to a flaw found in its security systems. A cybersecurity researcher, Jay Sharma, who used Oyo for the first time in his life, found a loophole in the service which was exposing confidential information of the customers availing the service.

Founded in 2013 by 25-year-old, Ritesh Agarwal, Oyo has confirmed the presence of security flaw in an email to the cybersecurity researcher who took to the professional networking site, LinkedIn to share his first time experience with the service and sent the report of the same to the company’s Cyber team on 22nd of August. The data at risk included booking IDs, contact numbers, the date of the booking, the number of people staying in the room and location.

Sharma was offered a bounty reward of Rs. 25,000, which is the increased amount after the officials, reviewed the severity involved, the initial amount offered was Rs. 5000.

Sharing the insights of the experience and the details of the vulnerability, Jay wrote on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the Wi-Fi”, “Why should anybody in the room be forced to share personal information via OTP (one-time-password) verification to use Wi-Fi?”

“I researched more and found that the HTTP & Ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random(). I created a way to brute force the login credentials while executing the captcha.”

“Once login was brute-forced all the historical data dating back to a few months was accessible. The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts.” He wrote.

Jay further warned the customers not to log in and “wait till OYO announces officially that they have fixed this issue” as “all the properties which use this login are vulnerable.”

Commenting on the matter, the company, headquartered at Gurugram, said “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy,”

“Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” a spokesperson told in a statement.
Share it:

Oyo

User Data

User Privacy

User Security

Vulnerabilities and Exploits