Taxi hiring firm Ola Cabs apparently fell victim to a hack, though the company is staunchly denying that any such issue took place. It’s seriously bad publicity for the Mumbai-based online cab aggregator which also had its Ola Wallet service hit by a scandal of sorts when a bug enabling free rides was discovered in March this year.
But don’t try to hitch a free ride through Ola Wallet anymore. Shubham Paramhans, the dude who found the vulnerability, assured everyone about the problem having been fixed before he posted the news on his blog. As for the latest hack on the Ola Cabs website, it was brought to light on Reddit by ‘TeamUnknown’.
The unknown hackers claim to have uncovered personal information as well as credit card transaction records of users. Apart from this, voucher codes which have yet to be issued were apparently obtainable too. The design of the application is reportedly terrible and the development server is allegedly weak. But according to a statement made to MediaNama, Ola Cabs insists that there’s been no security breach.
The hack was supposedly executed on a staging environment (which is located on a separate network from the production’s) when exposed for one of Ola Cabs’ test runs. Dummy user values meant for internal testing purposes were part of the ‘exposed data’, says Ola Cabs. Additionally, it revealed that ‘TeamUnknown’ did not try to get in touch with it regarding the problem. But the concerned Reddit account has posted images to the contrary.
If those are anything to go by, the hackers sent an email related to the flaw to the company’s security team on June 2. Using the vulnerable MD5 algorithm to hash passwords the way Ola Cabs does poses a security risk. One commentator on Reddit did point out that the involvement of the development server would mean the credit card details and vouchers codes were dummy ones.