WeWork India patched a security flaw that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces.
security researcher Sandeep Hodkasia found visitor data from the WeWork India website registration application, used by visitors to log into the dozens of WeWork India locations across the country. A bug in the app meant that it was possible to access any visitor’s check-in record by increasing or decreasing the user’s sequential user ID by a single digit.
Since the recording tool was accessible over the Internet, the bug allowed anyone on the Internet to browse through thousands of recordings, exposing names, phone numbers, email addresses and selfies. Hodkasia said there were no obvious controls in place to prevent someone from accessing bulk data.
None of the data has been encrypted.
Hodkasia described the bug to TechCrunch, which replicated and confirmed its findings, and forwarded the information to WeWork India.
When contacted by email, WeWork India spokesperson Apoorva Verma confirmed that its website “has a bug that allowed inadvertent access to basic visitor information.” The recording app was removed from the website shortly after TechCrunch contacted the company. According to Verma, WeWork India is “in the process of transitioning our website” and that its recent changes “mitigate” the exposure.
It is unclear exactly how much visitor information was exposed or for how long.
When asked if there were plans to notify those whose information was exposed, WeWork India spokesperson Sweta Nair did not respond. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of its discovery, have not yet come into effect, following a delay in rule deployment.)
WeWork India joins a group of Indian companies and organizations over the past year plagued by cybersecurity failure. In 2020, at the height of the COVID-19 pandemic, India’s largest cellular network Jio exposed a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database full of network logs exposed to the Internet, allowing anyone to directly access internal files on CISF’s internal network. And, in June, TechCrunch reported the latest spill of Aadhaar figures potentially involving millions of Indian farmers, thanks to a security breach at government agency PM-Kisan.
To get in touch with the Security Office, you can message Signal at +1 646-755-8849 or email [email protected].