Myntra’s Privacy Hack [Your Invoice Open to Public]
Myntra had a privacy plug that enabled anybody to view other user’s credentials (address/email/mobile/order amount etc) by just playing with the invoice url.
Basically, if you have every bought anything from Myntra, you would be aware of the Invoice URL :
http://www.myntra.com/order_invoice.php?orderid=somenumber&t=u
All you need to do is to play with the order id (any 5 digit number would do) and you can see the entire invoice details! (and you don’t even need to sign-in for the same)
Myntra Invoice - Up for Hacks
So essentially, if you ever bought anything from the site, your personal data was public and open to spammers/harvesters what’er.
We were aware of this issue since the last ~3 days (Raxit found this out) , but chose not to talk about this, unless the issue was fixed.
I believe these are serious issues that deters Indian users to even click on e-commerce sites. Apart from lip service (like https secured connection/digital signature), do you think there needs to be a set of checks that one should comply to before you even start selling your products online?
And what about ecommerce sites that fail to comply to these? Fine them?
Sadly, the updated IT Act Amendment Bill too doesn’t have any provision for privacy issues.
What’s your though on this?
pic credit: raxit, another pic
About the author - Ashish Sinha is a Startup Mentor/Product Strategy Coach, and the founder/chief editor of pluGGd.in.
He has launched/managed couple of products (consumer as well as enterprise) in US and India, and now consults with startups/small businesses on their product/media strategy. He can be reached at: ashish (at) pluGGd.in [+91 98452 06443]
cookies, login, sessions ???
I guess php programmers use the above stuff :p
It was open for public access – so no cookie/login/sesion thing here.
-Ashish
Good that I dont buy things online..most of the ecomm sites take users for granted..they dont give a damn to your data/privacy etc..
myntra is no exception – wonder why IDG and others invested in them..prbbly lack of better options?
These words reach pretty fast.Fail to comply something as basic as this and start over again!
Precisely the reason many still prefer the physical stores.
Sad but true.
Solution : Testing!
Basically, they should have passed some random key along with the invoice number, so they can cross veryfiy both, and both match, then only display the data..
Many people fail to check these kind of things and land up in trouble..
Did you try to play with post data on their cart page? I am sure, it will allow to modify the price value too..
cheers
Deep
Randomizing the invoice id does it all – rgt now it seems its a sequential number [who did the coding sir]
Randmozing invoice is not a good idea, as it becomes difficult to remember the numbers or figure out the meaning from it… just the serial wise invoice number with random key combination should do the job..
well..one can always map that to an internal invoice id.
or better still, only owners can view their invoice..
Deep
you may be right, i already informed the myntra management to have thoro check of their whole site and strict auditing !
Let’s see if they do this job or not !
Happy Hacking
-Raxit
This issue existed for 3-4 days due to some wrong code that got pushed to the server. The issue has been fixed. The customer’s invoice details are not accessible anymore. Myntra is committed to Customer data security and treats every information provided by the customer very confidential.
Oh my god… Hard to trust myntra now.. Wondering how did they get funding, is it just because they are from IIT??
myntra tried to stop this information go public by offering free t-shirt to Raxit?? As Raxit mentioned in his post at http://raxitsheth.blogspot.com/2008/12/hacking.html
“Offer of free T-shirt for not posting this post is rejected
“
Now thats a holy shame!! That’s called as pure bribing!
I suggest cos. should just come out in open and accept their mistake, instead of their users finding the hard reality from somewhere else..
Surely one cant trust them with $/data now.
Santosh – by this small mistake, you cannot really say that you won’t trust the company… security holes keep on coming in every software.. be it minor or major..
Anyone can make mistakes.. .even in wordpress too, new security holes keep on coming… so it does not mean that, we should stop using the software… they will audit it and fix it up…
About someone offering a free t-shirt for not posting – I think someone from their company might have done it.. (programmer or some marketing guy) it might not be official from CEO or any top post guys….
But looking at the circumstances.. there are high possiblities that, companies might offer this kind of thing to avoid security holes going into public…
We are humans.. we all make mistakes
Just my 2 cents…
Cheers,
Deep
Well..its not abt a small mistake – when you are making money on per txn, you are answerable to cos.
and whether one trusts myntra/others based on few mistakes is a personal choice, but i believe cos. should just not spend money on adwords and have some budget for QA as well.
one shdnt even compare wp security plugs with application plug – wp is a platform (like OS/CMS) and its bound to be a fav for hackers..
while myntra is an application – so pls do not even compare the 2.
looks more like one of the founders offered free tee for not posting..well..what can one say
” you are answerable to cos.” – i meant customer.
Yup… you are right.. they are answerable to customers and I think that’s why they fixed it without delay too right?
You won’t believe but, these kind of loopholes were / are present in many known ecommerce sites too… I had found xss hole in Indiatimes website ages back.. they didnt bother to reply or fix it… these guys are atleast active and fixing it before other people get info over it…
About comparing WP and this application.. no I am not comparing on platform wise, I know WP is Opensource and this one is prviate application.. but my point was, in any scenario, any kind of tight security, the loopholes are going to be there and application becomes stronger only after digging & fixing them..
About founders offering free tshirts… I donno about it.. may be Raxit or someone from company would be able to answer that…
cheers,
Deep
Hi Deep,
>About founders offering free tshirts… I donno about it.. may be Raxit or someone >from company would be able to answer that…
My Answer is my blog post !
http://www.m4mum.com
Raxit Sheth
This is completely absurd….the amount of negativity !!! The issue was promptly fixed. This issue is not even close to the financial crisis happening around you…does that stop you from investing?
I have full faith in Myntra !!!
Financial crisis do prevent people from investing, this is a well known fact.
Faith in myntra??? must be kidding…
@ Sumit (from thehiringtool.com) …
Did Mukesh (founder of myntra) ask you to write this comment?
Hahaha….this is a good way to build your creditability in front of your client (myntra.com) and earn more business ..
I understood why you have full faith in myntra LOL
I did some research and found in linkedin profile of myntra’s CEO (search Mukes bansal in linkedin), there are three people recommending Mukesh. See the very recent one..written by thehiringtool.com
“Mukesh is very focussed and believes in quick action. It is a pleasure working with him and his promptness adds to the success our partnership.” December 5, 2008
Nupur Panjabi, Founder, thehiringtool.com
was a consultant or contractor to Mukesh at Myntra Designs Pvt. Ltd.
Good job Sumit!!! myntra will of course keep you for their recruitment works
I guess few more associated companies will now put good comment about myntra to earn their loyalty.
Mukesh is a friend before a client. And yes, these relationships go a long way. And these loyalties are more personal than professional.
@ Amit K – I must commend you on your researching skills. If you and others are so intolerant about accidental errors, if you are an employee of a company, maybe your boss should know that you have 0% tolerance and you will quit your job if you make an accidental error (high ethical standards should be self-imposed before imposing on others).
Myntra is a client that we have seen grow and have helped grow and which is why I have full faith in Mukesh and his team.
Guys, everyone that takes the plunge in starting a company does it because he sees a value to be provided to its customers (you guys). This site – pluggd.in is to promote entrepreneurship. But things like these where you jump so negatively for an accident makes me loose faith in such discussion forums.
Only if we could convert all this negative into something positive.
Best wishes everyone and happy new year !!!
Sumit
Well dude – all I can ask you to is req you to stick to the topic – you know founders, you make money out of them,,,blah blah..how does that affect this issue?
Isn’t this a serious privacy breach? Did Myntra informed it’s customers abt the issue (and fix)? they instead bribed raxit to not talk about it (F**king shame!).
And pls do not compare indiatimes’ shopping error with the new age tech players (supposedly) – if these tech startups behave the same as others, what the f**k are we talking about india tech dream then?
Sumit,
its best to explicitly put to whose comment you are replying
. people are assuming you are replying to me, i have not made any statment regarding invstmnt.
-Raxit
sorry ’bout that !!!!
Hi Guys, I have purchased over 5 T-shirts at Myntra. they are one of the most customer friendly company I have ever dealt with. Once I received a defective T-shirt which they promptly replaced w/out asking any questions, Another time I aksed them if I can get a personalized gift within 24 hours and they personally hand delivered. Some of the comments above are quite malicious and I wish people judge things objectively,
Vidya
Hmmm…If any business offers a compensation, it must be a bribe!! Is this guy real or a myntra competitor in disguise. If a company makes a mistake and offers me some comp in return, I feel good that someone is owning up to their mistake. I guess the concept is too foreign to some cynical people who feel everyone out there is a crook. !
Raxit may be putting all wrong information or he may be myntra competitor or you may be myntra guy,just trying to blame someone, competitors may be a easy bet.
That was quite a stupid statement to make – he requested me to not publish this article till myntra fixes the issue (otherwise anybody could have easily seen other’s invoices).
Please avoid making such irrational comments.
-Ashish
Guys.. I think everyone should stick to the topic… I dont see any neeed for myntra is good or bad….
There was a loop hole, which was fixed by the company.. that’s about it… it does not make the company less or more trustworthy…
Mistakes happen with everyone… and there is no need to make it out of proportion…
Just my 2 cents…
Deep
Hi Manoj, I have not put any wrong information, and what-so-ever i put on my blog was after the confirmation of myntra that they have fix the bug. I am not from Myntra or Competitor’s side.If we wanted to pissedoff, we can put the stuff even before they fixed, but i feel it is unethical to publish the stuff when myntra has informed us that they will fix it earliest. Why it had taken more days to fix, reason is provided by Ashutosh (myntra) in above comments !
Happy Hacking
-Raxit Sheth
This indeed is a big goof up, and am sure Myntra guys would be embarrassed to the core. The good thing is that the issue was fixed within no time which is quite commendable. Mistakes do happen, and let’s not forget that these guys are also trying to build a business, just like most of us. As fellow (or wannabe) entrepreneurs, we should know that mistakes are a part of growing up .. what matters is our ability to rectify them and make sure they aren’t repeated. Myntra has managed to rectify it, and I really hope they don’t repeat it again.
Cheers
Jayant Sharma:
I think this discussion is getting bit abusive here.. I thought people will be sensible enough to use proper language and dont get into personal wars…
Anyways, coming back to your comment…
I compared wordpress application in this example, you said dont do it.. i explied the logic behind it..
Then I compared Indiatimes shopping site, now you are saying, it is an old age system… do you even know what you are talking about?
It is old and it is strong too.. they are HUGE… these small ecom sites are nothing compared to it…
Anyways, no point in arguing as it doesn’t make sense to drive the topic to some off topic…
Cheers
Deep
aah.. for some reason, it did not show the quoted text in blockquote… the text
“And pls do not compare indiatimes’ shopping error with the new age tech players (supposedly) – if these tech startups behave the same as others, what the f**k are we talking about india tech dream then?”
was wirrten by Jayant Sharma FYI
hey deep
sorrry abt that – what i was trying to say is pretty simple – indiatimes/sify/rediff’s ecomm sites are the older sites and because of their ‘lack of respect’ for security etc, we blame them for not being able to win the trust of indian consumers.
If new age startups also do the same, what’s the diff.? Are they another indiatimes in making?
Rectifying an issue is no big deal (even biggies do that), but what about the basic code of conduct that these sites should follow? Isnt there a need foe one?
Again, sorry for those ** comments, pal!
I agree with both Jayant and Deep.
@Deep: Yes mistake happens, and it has been fixed now, I guess.
@Jayant: I agree with you here that myntra should inform their all customers about it. As it is of course a privacy breach as well be honest with customers. Bribing a t-shirt offered by one of their core team member (Ashutosh) is something that is not ethical at all.
Update 2 @
http://raxitsheth.blogspot.com/2008/12/hacking.html
-Raxit
Hello , This is not about to get persolized or take sentiments. Lets face the fact that Myntra is / was having the big security flaw. This is the question of securing people’ data. Unfortunately like US, India don’t have any strigent Data Security laws in place. Rather than treating it sentimentally, i request people to suggest ways to implement solutions like RSA mechanism.
- Anjali
This is disgusting! Being in the IT space myself, I can say that this is a result of complete carelessness from the team. It is the basic rule of planning any code that you secure a users private information! And to be lax on that is ridiculous!!