cmn_Ola

In response to MediaNama’s query regarding a claim that Ola, a cab and auto booking service, had been hacked, the company said that the alleged hack was on a staging environment, exposed for a test run, and not its main site. The full statement:

There has been no security lapse, whatsoever to any user data. The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs. The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes. We confirm that there has been no attempt by the hackers to reach out to us in this regard. Security and privacy of customer data is paramount to us at Ola.”

A Reddit user called ‘TeamUnknown’ had posted a claim it had all the user details along with credit card transaction history and unused vouchers. The claim:

 

“Their (Ola’s) Application design is very poor and their development server is weakly configured. The hack was a little tricky and involved many steps to get to the database. Once we got to the database it was like winning a lottery. It had all the user details along with credit card transaction history and unused vouchers. The voucher codes are not even out yet. Its obvious that we wont be using credit card details and voucher codes. We dropped them a mail but no response from their side as of now. You can see the snapshots in the links given below. I am sure OLA might be having a security team of their own. Not that good it seems ;)

View post on imgur.com

View post on imgur.com


http://imgur.com/NwE5p0R”

Reddit users pointed out that Ola was using MD5 to hash passwords and relational databases. Read this on why MD5 is not a strong encryption for passwords.

It’s important to note that while Ola might claim that this was on a staging environment, the screenshots do appear to have user data.

Update: Ola says it was dummy user data

Ola’s previous wallet exposure

In March this year, Medium user Shubham Paramhans had pointed out vulnerabilities in the Ola wallet. Paramhans said that while booking a cab, he saw OLA API calls going through his phone. On tweaking the APIs, Paramhans was able to break into Ola’s money transaction system, allowing him to recharge his Ola wallet with any amount.

Readers would like to note that Ola does not use the HTTPS, a security protocol used for adding SSL/TLS security over the HTTP protocol, ultimately to protect data exchanged.

Previous Ola developments:

– In April, Ola (formerly Olacabs) raised $400 million in a Series E round of funding led by DST Global with participation from GIC, Falcon Edge Capital and existing investors SoftBank Group, Tiger Global, Steadview Capital and Accel Partners US. In the same month, Ola raised $315 million funding led by DST Global, with participation from existing investors Tiger Global, Accel Partners and Steadview Capital.

– In March, Ola had appended its load screen image, which was used without permission from a Flickr user based in the US. The company later provided credits to the user Praveen PN after he posted it on Twitter.

– In the same month, Ola launched a food delivery service called OlaCafe for users to order food from nearby using the Ola app. The company claimed a delivery time of 20 minutes.

– It introduced cashless payments for rides on autorickshaws and kaali peeli taxis through their in-app wallet Ola Money across Hyderabad, Chennai, Pune, Ahmedabad, Delhi, Bangalore and Mumbai. Ola had mentioned then that over 40,000 autorickshaws and kaali-peeli taxis had been registered across India on its mobile application.

– In January, two of SoftBank funded cab booking services Ola and South East Asia-based GrabTaxi were in talks for a global taxi alliance to take on rival Uber. This alliance would include knowledge sharing and possibly cross-booking i.e. you could book a GrabTaxi cab from GrabTaxi using Ola’s mobile app and vice versa.

– Ola was reportedly foraying into grocery delivery as a business after it put up an advertisement on BabaJobs where they are looking to hire delivery executives in the Brookefields, Marathahalli, Koramangala and Channasandra areas of Bangalore.

– In February, Ola acquired its Bangalore-based rival TaxiForSure for $200 million in a cash and equity deal. Following the acquisition, Ola and TaxiForSure were expected to continue operations independently while TaxiForSure’s investors were expected to roll over their stock into Ola.