Meru Cabs: Customer Data ExposedCompany Fixing Flaws that Left Customer Info Unprotected
Mumbai-based Meru Cabs, which offers online and mobile-app cab bookings, has been inadvertently exposing customer data to the Internet, a security expert warns. The problem stems from logs generated by Meru's mobile app being stored on the Web in a publicly accessible directory.
The logs, which lack encryption or authentication controls, have included customers' personally identifiable information, including mobile numbers, email addresses, pickup and drop locations, masked credit-card numbers, payment notification logs, Meru booking logs and service and notification related logs for Android, Blackberry, iPhone and Windows platforms.
Meru is one of India's leading cab companies, and claims to carry more than 1 million passengers every month. The company was recently in the news for its bid to raise $100 million from Asian investors.
Information Security Media Group first learned of the company's customer-data exposure when a security expert, who is also a Meru customer, found the problem and alerted ISMG. Speaking on condition of anonymity, he says the problem appears to stem from Meru failing to employ secure development techniques and to properly lock down its Web and mobile apps, and related integration.
The source adds that no scripting, programming or any kind of hack were required to gain access to this information; access to the logs was possible simply by navigating to a specific URL. The source believes that Meru's third-party service providers may also be affected.
In part, that's because in addition to the logs, Meru's Web asset registry - for its mobile app - was accessible publicly and thus could have exposed a treasure trove of valuable information, including sensitive code and SSL certificates, which could be abused in numerous ways by a would-be attacker. The source believes this state of affairs may have existed for an extended period of time, certainly months
To help prevent any potential abuse, ISMG will not publish precise details of the vulnerable links and assets.
ISMG alerted Meru to the details of the vulnerabilities on May 6, and within 48 hours, Meru remediated a majority of the highlighted security issues. Nilesh Sangoi, Meru's senior vice president and chief technology officer, says that related investigations and mitigation efforts remain ongoing.
"The issue was a Web server misconfiguration, which we have corrected within the first working hour after getting your first mail," Sangoi tells ISMG. "We've also removed all the unnecessary documents and logs from the folder."
While preliminary fixes have been put in place, going forward, Meru plans to implement broader architectural and technical changes and enable better end-to-end security, including working on releasing a new version of Meru's mobile app on each platform to achieve the same, Sangoi says. Meru has a small in-house team and also works with an ecosystem of partners, a Meru spokesperson informs. WinIT Systems, Meru's third-party software developer, could not be reached for comment.
Based on the details shared by ISMG's source, the information exposed included unprotected log data containing the PII detailed above, in addition to a slew of code, certificate and PEM files. PEM files are certificates required for sending push notification to users of the Meru app on iOS devices. Theoretically, access to this file can mean the ability to can send push notifications to all users of the Meru app on iOS devices. But Sangoi says that the PEM certificates were old, expired certificates that could no longer be used.
Prior to informing Meru about the vulnerable links and flaws, ISMG turned to an information security expert to corroborate the source's claims. Speaking on condition of anonymity, the expert says that the primary problem stems from Meru having the "directory listing" feature enabled on its Web asset server, which enables anyone accessing the web server's URL to see an Explorer-style listing of all files.
Furthermore, Meru was hosting sensitive data on its Web root directory. Having assets on the web-root directory, even with directory listed turned off, can be sniffed out and accessed if the attacker guesses the filename convention, the expert says.
After ISMG's warning to Meru, the vulnerable server has now been locked down, the expert reports, although he notes that some specific files still remain accessible. In addition, SSL certificates with private keys were being hosted publicly on the server, which could be used to decrypt encrypted communications or launch man-in-the-middle style attacks, he says.
CitrusPay, the mobile payment wallet being used by Meru's app, and ValueFirst, which sends SMS notifications on Meru's behalf, may also be affected by the security flaws, ISMG's original source warns. That's because the data exposed on Meru's server included scripts to integrate checkout pages with the CitrusPay payment gateway, as well as information relating to staging and production servers, and the CitrusPay Merchant Kit APIs - including test APIs and other code.
However, CitrusPay says it is confident that no sensitive part of its payment ecosystem has been compromised. Amrish Rau, managing director at CitrusPay, says that the exposed CitrusPay files and manuals are, in fact, openly distributed to merchants via CitrusPay's website, to facilitate integration efforts, and cannot be used to compromise CitrusPay's systems. Accordingly, CitrusPay says that its Payment Card Industry Data Security Standard or PCI DSS "Level 1" compliance is not affected.
The data exposed in the Meru logs did include masked credit card information in the first six-last four format, which is in keeping with PCI norms, Rau says. "In this specific case, the sensitive payment information remained completely masked," he says, beyond which, what happens in the merchant's ecosystem is beyond CitrusPay's purview.
According to ISMG's source, the exposed data also leads to a secondary compromise. Credentials for accessing ValueFirst, the SMS gateway service, which sends out text notifications to Meru customers on an as-needed basis, were also exposed in an unprotected .PHP code file on the server.
These credentials could be directly used to access the MIS or management information system maintained by ValueFirst for Meru, the source says, which maintains records of notifications sent to Meru customers including trip details and automatically generated passwords, among other information. This information can be extracted and abused, he says.
Automatically generated passwords sent to Meru users via text message were stored in plain text within the MIS, documentary evidence furnished by the source reveals. In cases where the user hasn't reset that password, a would-be attacker would have easy access to the user's Meru account, simply by using the password and pairing it with the customer's username, which is the mobile number registered with Meru. This implies that any user account with a wallet or payment credentials saved could be defrauded. ISMG's second security expert verified this vulnerability.
The original source also flagged a further security problem: Attempts to reset the automatically generated password appeared to fail, suggesting that the password system may have flaws.
Furthermore, the threat of external access to ValueFirst's MIS for Meru also raises the possibility that data exposed may have been more than just of customers using Meru's mobile app, since ValueFirst MIS is also used to service customers using Meru's services through its call centers and website. The source claims some message notifications sent to international numbers are listed as well.
Meru's Sangoi says that after learning of these vulnerabilities via ISMG, Meru changed the passwords for many of its services, including the SMS gateway. But indications are, while the exposed MIS credentials have been revoked, internal issues with the password system may persist. ValueFirst could not be reached for comment.
The danger posed by financial data or PII being stolen are by now well-known: "Insecure data storage on Meru's part may instigate identity theft, fraud, reputation damage, external policy violation (PCI) and material loss," ISMG's source says.
A security thought leader and ex-CISO comments that the Meru vulnerabilities may not have been exploited by any attackers, and thus may not have impacted customers. But if PII and other data has been stolen, and monetized, Meru's legal liability would be based on the contracts and agreements it has with its customers, as well as the "acquiring entity," which in this case is CitrusPay, he says.
Mumbai-based cyber-law expert Prashant Mali, meanwhile, says that if public-interest litigation were to be filed by users of Meru's mobile app with an adjudicating officer - an arbitrating authority for cyber law cases under Indian law - Meru might have to pay damages or compensation. Currently, however, it's unclear whether most Meru users would ever be aware that there had been related vulnerabilities. "There is a need for the government to come out with a mechanism for handling data breaches that requires breached entities to inform all affected stakeholders," he says. [Also Read: Meru Cabs: Mobile Security Lessons]