Wednesday, June 19, 2024

7 Million Indane LPG Users & Distributor’s Personal Data & Bank Details Leaked Online

Indane LPG exposed nearly 7 Million Customers and distributors sensitive data online due to the serious vulnerabilities that discovered in all the major services that provide by their iOS applications.

Indane is owned by Indian Oil Corporation Limited, which is an Indian state-owned oil and gas company and it is the largest commercial oil company in India and it has a customer base of more than 98 million.

This serious vulnerability leaks various sensitive customers and distributors data including the following,

  • Personal data of every single Indane consumer.
  • Leak Distributor’s Bank details.
  • View the online order history of every single consumer.
  • Modify personal data of any consumer limited to Landline and Mobile Number.
  • Make any Consumer, Opt Out of Subsidy without their consent.
  • Surrender any consumer’s connection thus resulting in the closure of account with Indane.
  • Finally, Book a new LPG Cylinder on behalf of any other Consumer.

A broken Access Control vulnerability that resides in the Indane iOS app lead to an unauthorized information disclosure that allows attackers to modify the data.

Sreekanth Pillai, A security researcher who discovered this vulnerability reported GBHackers on Security, “The API Endpoint was vulnerable to Broken Access Control vulnerability. On accessing my profile section within the application, a POST request was sent to the backend server with my user id, deviceID and Base64 encoded access_token.”

Every Indane Gass Customer Data Leaked

During his research, the vulnerability allows him to access any of the Indane customers including,

• Consumer Number
• Consumer Name
• Postal Address
• Personal Email Address
• Landline and Mobile Number

Whenever users accessing their profile in iOS App, a POST request is happening to the following API endpoint:

Along with the post request, the app sends a “userid” to API endpoint to validate the current user.

Here, Sreekanth was able to fetch the information of other Indane consumers by modifying the value of “userid” incrementally.

Indane Customers Personal Data

Leaked Distributor’s Bank details

An option called “LPG Refill Order” in indane iOS applications used by customers to book a new LPG Cylinder.

In order to retrieve the requested information, a POST request is being sent to the following vulnerable API endpoint:

In this case, “The response for this request displays my distributor’s information but it includes quite a lot of interesting details including the distributor’s bank details linked with Indane”. Sreekanth Pillai stated in the Proof-of-concept that shared with GBHackers on Security.

The sensitive information including:

• Distributor Name as per Bank
• Account Number
• Bank Name
• Bank IFSC
• Email address linked with Bank Account Number
• Mobile Number linked with Bank Account Number

Indane distributors bank details

Likewise, all the API endpoints are vulnerable that associated with Indane iOS app that allows virtually allowing me to do anything with any of the 6.7 million consumer’s including the following actions.

  • Modify personal data of an Indane consumer limited to Landline and Mobile Number.
  • Make any Consumer, Opt Out of Subsidy without their consent.
  • Surrender any consumer’s connection thus resulting in the closure of account with Indane.
  • Finally, Book a new LPG Cylinder on behalf of any other Consumer.

March 29, 2019, Sreekanth Pillai, Reported to NCIIPC and March 30, 2019 — Indane’s official mobile applications were removed from both Apple and Google’s App Store.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Vulnerability in Xiaomi Pre-Installed Security App Allows Hackers to Hijack Device by Injecting Malware

0patch PRO – New Micropatch Program Launched for Windows Platform Zero-day Vulnerabilities


Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles