WeWork India exposed visitors’ personal information and selfies

Social

WeWork India has fixed a data security lapse that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces to the internet.

Security researcher Sandeep Hodkasia found visitor data spilling from the check-in app on WeWork India’s website and used to sign-in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access the check-in record of any visitor by increasing or decreasing the user’s sequential user ID by a single digit.

Because the check-in tool is internet-facing, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses, and selfies. Hodkasia said there were no obvious or apparent controls in place to prevent someone from accessing the data in bulk.

None of the data was encrypted.

Hodkasia described the bug to TechCrunch, which replicated and confirmed his findings, and passed the information to WeWork India.

When reached by email, WeWork India spokesperson Apoorva Verma confirmed its website “had a bug that allowed unintentional access to the basic visitor information.” The check-in app was pulled from the website soon after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website,” and that its recent changes “mitigated” the exposure.

It’s not known exactly how many visitors’ information was exposed or for how long.

When asked if there were any plans to notify those whose information was exposed, WeWork India spokesperson Sweta Nair would not say. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of discovery, have yet to take effect, following a delay in the rollout of the rules.)

WeWork India joins a raft of Indian companies and organizations in the past year beset by a lapse in cybersecurity. In 2020 during the peak of the COVID-19 pandemic, India’s largest cell network Jio exposed a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database packed with network logs exposed to the internet, allowing anyone to directly access internal files on CISF’s internal network. And, in June, TechCrunch reported the latest spill of Aadhaar numbers involving potentially millions of India’s farmers, thanks to a security lapse at the PM-Kisan government agency.

Read more:


To get in touch with the security desk, you can message on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

Products You May Like

Articles You May Like

Ben Affleck tells actors and writers not to worry about AI
Mitsubishi backs Ample’s radical approach to charging EV batteries
Trump’s pro-fracking energy secretary pick has also invested in geothermal and nuclear startups
TikTok parent ByteDance reportedly values itself at $300 billion
Moonvalley wants to build more ethical video models

Leave a Reply

Your email address will not be published. Required fields are marked *