A security lapse on Thrillophilia website has put the data of all of its 2 million plus registered users at the risk of exposure and theft.
Thrillophilia is a Bengaluru-based trip planning, activity & experience-based company.
The security flaw in Thrillophilia API would allow an attacker to fetch sensitive user data of any registered user bypassing their email address in the request.
“A data breach on the website would allow attackers to fetch sensitive data just by using the email address of the victim,” said Ehraz Ahmed, the security researcher who disclosed the issue to CNBC-TV18.
Ahmed, 24-year-old tech entrepreneur and security researcher, has previously identified security flaws in Justdial, Truecaller and Airtel.
Ahmed says he discovered the flaw in the application program interface (API) of the Thrillophilia’s website and mobile app.
Thrillophila’s API gives access to third parties without verifying the token of authentication while logging in.
Their API can log anyone into the Thrillophilia’s database by modifying the email address into the cURL request. In response, the cURL returns the access token and all the other sensitive information given by the user at the time of making the account.
CNBCTV18.com was able to verify the issue.
How serious is the issue?
With a registered userbase of 2 million users, 3.5 million monthly visitors and 40 million pageviews, as per its website, Thrillophilia offers services in 15 countries.
In the case of a data breach, the sensitive data of 2 million registered customers would have been at stake.
The data includes names, usernames, date of birth, city, travel history, and photos.
Replying to the comment request from CNBC-TV18, Abhishek Puri, VP growth at Thrillophilia, said he was unaware of any problems in the system and that the issue, if any, would be escalated to the company’s tech department.