Security Researcher Saved Careem from Data Breach - SecurityWall

16 June 2017

Security Researcher saved Careem from a Data Breach

Disclose by SecurityWall
Security Researcher saved Careem from a Data Breach

Careem App is a car booking platform based in UAE which offers travelling services by which people can book a car on their doorstep in a couple of minutes. Careem App is known for its pick and drop service with the most comfortable and safe environment all over UAE, PAKISTAN, AFRICA and more countries. But, what if this multinational organization gets comprise by hackers and their billion dollars worthcustomer’s data gets leak. They’d have nothing to do except regretting.

SecurityWall team tends to secure Pakistan cyber space and secure our local applications existence. We have helped many local and multinational brands but this story is just to aware the local audience and the developers about how an application which seem secure isn’t secure from every end.

Few weeks ago, a security researcher named Daniyal Nasir from Pakistan diggedinto theCareem Applications to test for the security issues and found the most critical vulnerabilities in their applications by which he was able to access over 1.4 million customer’s confidential information of Careem.
The information includes all the Driver’s Email, Name, Mobile Number, ID Card Number, Trips, Payment Information, even their pictures. Not only drivers, but also the details of all the Cars registered in Careem even their Car Registration Number.

We can’t disclose the affected domains and any type of private information due to some security reasons

Daniyal Nasir with Team SecurityWall tried to reach the Careem appropriate team to discuss about these vulnerabilities but no positive response was coming from their side.In short, they were not interested to hear this kind of news, which was important for them.

SecurityWall team reached local MD and CEO Mudassir Sheika, also their members of technical departments and support teams. But, same as before there was no positive response and replies were getting delayed about main issues we were offering to discuss. Careem Reply to Daniyal Nasir

These kind of auto reply hurt companies where reporters like "Daniyal Nasir" tends to secure application and customer services have this kind of mails to respond. In past SecurityWall team did report to, PakWheels, where they replied with such auto responding messages and after months they get through same parameters which we reported.

Data Leaking After waiting a lot of time for a positive response, we realized that they’re not having interest to improve their application’s security nor interested to save careem from a big data breach. We left them as it is.

After some days, researcher noticed that the low hanging issues has been fixed by Careem without even knowing to us which was sad, but still many vulnerabilities was present at that time which could be harmful for their business and also a huge loss of their customers, drivers, vendors. Two Days ago we contact them again with detail and Careem agreed on launching a bug bounty program to involve security reporters, but we dont have any clue when it will get started and where reporters can report, Hopefully we can push an update here.

This Post is just to aware brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to notify and report which we did to Careem, and this was not our first time to report critical issues. We have reported many vulnerabilities in top reputed brands and organizations where they have appreciated our ethical approach and now are into pentesting their apps. A good approach ins’t it?

We hope local brands will learn something productive from here.

Have any questions? Ping us