To recap, India-based Zomato, which claims around 120 million users each month, revealed yesterday that around 17 million email addresses and hashed passwords had been stolen, but it later clarified that 60 percent of those accounts actually used third-party OAuth services — such as Facebook and Google — to log in. But that still left around 7 million users vulnerable, particularly if they used the same email / password combination on other services.
Though Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly and others pouring scorn on Zomato’s cryptographic efforts.
MD5 plus a 2 char hex salt – WTF?! "Restaurant App Zomato Says Your Stolen Password Is Alright. Except Is It?" https://t .co/2NBTnAdosF
The party claiming responsibility because the slash enlightened Motherboard that they undergone found out the vulnerability inside Zomato’s infrastructure as regards to a per annum ago and that after reporting it to the company versed heard not anything back . Thus they went mediaeval on Zomato by posting the diary as procurement on the shady internet, which led Zomato to “open a file of communication” in addition to the hacker , who it turns out was “very cooperative .”
“He/she required us to own up to protection vulnerabilities in our structure furthermore make effort in addition to the ethical hacker group to plug the gaps ,” explained Zomato’s vital technologist , Gunja Patidar. “His/her main demand was that we flow a healthy malicious program price schedule as defense researchers .”
As well as as a result that is accurately what Zomato says that it will do . Notwithstanding the company has capable an vigorous profile on HackerOne because other than a every year, it has hitherto failed to furnish pecuniary incentives given that ethical hackers wishing to submit trojan horse reports . Going pass on, that will correct.
“We are forcing a trojan horse reward list on Hackerone highly soon,” continued Patidar . “With that assurance, the hacker has inside flip sure to kill the whole lot copies of the stolen data furthermore get the track record off the shady cyber web marketplace . The marketplace link which was human being cast off to vend the record on the murky infobahn is no longer existing.”
Little bit the link to the stolen account on the shadowy information superhighway has been bumped off, there is no guarantee that the log will be blasted, of access. However given the invented hacker’s suggested passage of manner, there is every ground to have faith in that this is the act of a true ethical hacker . Furthermore it will expectantly experience the wanted conclusion of ensuring Zomato improves its surf the net protection.
“This experience has proposed our team’s commitment to dealing with everything our sanctuary facet a to blame furthermore judicious outlook also tougher,” added Patidar . “We peep forward to functioning other exactly plus the ethical hacker population, to type Zomato a safer place for the reason that our users .”