Are Indian e-commerce companies serious about security at all? A series of incidents over the last few months prove that many of them put customer information at serious risk. Yes, systems are not perfect, but it’s painful to see simple security loopholes that should have been ideally avoided.
Last week, Mumbai based Sandeep Shetty stumbled upon a bug on online fashion retailer Myntra.He was able to take over another persons account on the site. It’s not like he was even trying to hack into the site. Shetty was trying to recover his password on Myntra when he found the bug.
When he tried recovering the password to his account, he found that it directed him to a page with a prefilled e-mail account which was somebody elses! All he needed to do now was to fill in a new password and take over the account. He repeated the experiment and was able to take over another account!
Myntra fixed the problem. But to think that such a problem was overlooked in the first place is scary. When he wrote to Myntra on firstname.lastname@example.org, the message bounced saying “The email account that you tried to reach is over quota.” Whoa! How many complaints did Myntra already get on that e-mail? How often does the company check that e-mail? Is there a process in place?
Do our e-commerce companies bother to make a responsible disclosure? Or do they rush to cover it up? Sandeep has a few pointers (1,2,3,4,5) to offer when it comes to responsible disclosures. “At a very basic level you should atleast have a security@ email address configured. Having a dedicated page for responsible disclosure on your website is an added bonus,” he writes.
Sometime early last year, Abhishek Rajan tried a simple experiment to find out if e-commerce sites were storing your password in plain text. He tried the Forgot Password feature for some popular ecommerce sites in India to see how they stored your passwords. To everybody’s surprise, he found that some of them did store your password in plain text!
Ideally, it should have been encrypted.
Payment gateways, which directly deal with a users bank account aren’t secure enough either. One of our guest authors, Gaganpreet, had pointed out critical flaws in payment gateways used by e-commerce companies. He tried to see if Indian payment gateways were secure enough by seeing if they were following industry best practices. Some of them fared very badly.
Barring a few, none of them responded quick enough. Shouldn’t there be a standard operating procedure? Shouldn’t it be a high priority event? Should there be a bug bounty program?
We’d love to see the e-commerce folks take security seriously and take proactive measures to minimize risks.