Flexible workspace solutions company, WeWork India, has exposed the personal information, e-mails, and selfies of tens of thousands of people who visited its co-working facilities in the country. The company is currently operating in India at more than 40 locations with over 62,000 members. Last year, the flexible workspace operator raised Rs 200 crore from domestic and international investors. In the January-March period of 2021, the company had sales of 10,000 desks totaling 7 lac square feet, the highest for any quarter.
The flawed security system
The cybersecurity researcher Sandeep Hodkasia, the co-founder of App Secure, found visitors’ data leaking from the check-in app on WeWork India’s website, which is used by visitors to sign in at the dozens of WeWork India locations across the country. The vulnerability exposed visitors’ names, phone numbers, email addresses, and selfies.
I recently uncovered a security vulnerability in the WeWork app that exposed all visitors' PII data. https://t.co/iVUJ81RLfy
— Sandeep Hodkasia | संदीप होदकासिया (@sandeephodkasia) July 4, 2022
According to Sandeep; “I recently uncovered a security vulnerability in the WeWork app that exposed all visitors’ PII (Personally identifiable information) data.” According to him, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses, and selfies. There were no obvious controls in place to prevent someone from accessing the data in bulk.
WeWork India fixed the security flaw
Talking to an international media outlet, a spokesperson of WeWork India, Apoorva Verma, confirmed that its website had a bug that allowed unintentional access to the basic visitor information. As the company is in the midst of transitioning its website and the recent changes might have mitigated the exposure. The spokesperson also confirmed that the check-in app was pulled from the website soon after the issue came to light and the security lapse was fixed.