WeWork India has fixed a data security lapse that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces to the internet.
Security researcher Sandeep Hodkasia found visitor data spilling from the check-in app on WeWork India’s website and used to sign-in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access the check-in record of any visitor by increasing or decreasing the user’s sequential user ID by a single digit.
Because the check-in tool is internet-facing, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses, and selfies. Hodkasia said there were no obvious or apparent controls in place to prevent someone from accessing the data in bulk.
None of the data was encrypted.
Hodkasia described the bug to TC, which replicated and confirmed his findings, and passed the information to WeWork India.
When reached by email, WeWork India spokesperson Apoorva Verma confirmed its website “had a bug that allowed unintentional access to the basic visitor information.” The check-in app was pulled from the website soon after TC contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website,” and that its recent changes “mitigated” the exposure.
It’s not known exactly how many visitors’ information was exposed or for how long.
When asked if there were any plans to notify those whose information was exposed, WeWork India spokesperson Sweta Nair would not say. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of discovery, have yet to take effect, following a delay in the rollout of the rules.)
WeWork India joins a raft of Indian companies and organizations in the past year beset by a lapse in cybersecurity. In 2020 during the peak of the COVID-19 pandemic, India’s largest cell network Jio exposed a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database packed with network logs exposed to the internet, allowing anyone to directly access internal files on CISF’s internal network. And, in June, TC reported the latest spill of Aadhaar numbers involving potentially millions of India’s farmers, thanks to a security lapse at the PM-Kisan government agency.
To get in touch with the security desk, you can message on Signal at +1 646-755-8849 or firstname.lastname@example.org by email.