A security researcher, Ashutosh Barot, has discovered exposed data of Shipyaari, a Mumbai-based logistics company. The exposed data consists of personal information of Shipyaari customers including their names, addresses, phone numbers, order invoice amounts, and delivery status. Shipyaari has more than 6,000 active sellers across the country and it claims to handle more than 5,000 shipments a day.
Data Exposed due to Month-Long Spill
The sensitive data was exposed due to the months-long spill of its internal shipment information. The security researcher also confirmed that the company’s client tracking page was not password protected and could be viewed by anyone who had the web address. Hence, it can be used to perform targeted social engineering attacks and financial frauds. According to Barot, he called Shipyaari back in 2021 to inform them about the exposed data after which the company made some changes but the problem still remains the same.
Shipyaari Fixed the Issue
The logistics company end up fixing the vulnerability after an international media outlet reached out to the logistics services provider regarding the security incident. According to the media outlet; “Shipyaari fixed the exposure by removing customers’ personally identifiable information (PII) from the tracking page and restricted its access with a one-time PIN (OTP) system. It later updated the system to limit bad actors from launching automated attacks.”
Ashutosh Barot thanked Shipyaari for fixing the issue, he said; “I appreciate Shipyaari for fixing the issue and implementing recommendations,” He further said that India needed strong data privacy laws to help limit growing instances of data exposures and leaks. Later, Barot confirmed that customer PII data is no longer displaying on the page while loading. Vishal Totla, founder of Shipyaari said; “Data privacy is of utmost importance to us, and we will ensure such instances should not occur in the future.”