Flaw in Indane LPG App Exposes Personal Details of 7 Million Customers and Distributors

A Security researcher has discovered a critical vulnerability in the iOS application of Indane LPG exposing personal details of customers and distributer

A Security researcher has discovered a critical vulnerability in the iOS application of Indane LPG exposing personal details of customers and distributer. Indane LPG is one of the leading domestic LPG providers in India owned by Indian Oil Corporation Limited. According to the security researcher Sreekanth Pillai, the breach has exposed sensitive details of at least 7 million customers and distributors. The broker Access Control vulnerability in the API Endpoint of the app gave unauthorised access for attackers to modify data. “The API Endpoint was vulnerable to Broken Access Control vulnerability. On accessing my profile section within the application, a POST request was sent to the backend server with my user id, deviceID and Base64 encoded access_token.” said the researcher to GBHackers. The vulnerability allowed the attacker to view and access:

Personal data of every Indane LPG customers and modify it
Distributors bank details
Access online order history of customers
Book a new LPG cylinder
Make changes on subsidy request without user consent

The personal details exposed includes Consumer Number, Consumer Name, Postal Address, Personal Email Address and phone numbers of every Indane consumers. The distributor's bank details exposed includes name, bank name, account number, IFSC code, email and the phone number linked with the bank account. When the user accesses their profile, the apps send a Post request along with a user id to validate the user. The researcher was able to access information about other indane consumers by modifying the value of “userid” incrementally. Researcher notified National Critical Information Infrastructure Protection Centre (NCIIPC) about the vulnerability on March 29, 2019, and both iOS and Android apps were removed immediately. For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin and Twitter.

You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild

Google Ads Exploited in Cyberattack: Hackers Steal Login Details and 2FA Codes

Murdoc Botnet Exploits AVTECH Cameras and Huawei Routers

Authquake Attack Bypasses Microsoft MFA, Exposing Critical Security Vulnerabilities

Strategies for Mitigating Cyber Threats in 2025

Cybersecurity Threats in Social Media Networks: Protecting User Data

AI in Data Privacy Compliance

Secure Boot Bypass Flaw Found in Palo Alto Firewalls

Volkswagen Faces Major Breach: Data of 800K EV Customers Leaked

Successful CISO – Is a Business Enabler the Need of the Hour?

Behind the Job Title: Information Security Consultant

Cybersecurity Threats in Social Media Networks: Protecting User Data

AI in Data Privacy Compliance

No featured articles available

Flaw in Indane LPG App Exposes Personal Details of 7 Million Customers and Distributors

A Security researcher has discovered a critical vulnerability in the iOS application of Indane LPG exposing personal details of customers and distributer

Share Your Story!

No featured articles available

A Security researcher has discovered a critical vulnerability in the iOS application of Indane LPG exposing personal details of customers and distributer

Stay Updated with the Latest Cybersecurity News