Yes, I am talking about OYO Rooms, Now has a net worth of Rs. 2,600 +crore. It is servicing 12 other countries along with India.
Recently, I was engaged in a Cybercrime case. In which we have to trace out the criminal. The situation was very tough because his phone was off for a long time and it was very hard to find his current location without cell.
I was blank and didn’t have any clue what could be possibly done now. Suddenly I think that if a person is out of his house for a long time he may use the hotel to stay.
After thinking about the hotel, OYO comes in my mind. So I Dial +91 9313931393 (OYO customer care). And a customer care person started a talk with me. I asked him for help i.e, Hello sir I have created a booking with my no and my phone is switched off now. Can you please book a stay for me in the same property I have visited last time? Then he replies with the property name, Date and place.
I was shocked…
It is very easy to know anyone’s personal information by only knowing his/her phone numbers. So I started some more research on it
With some social engineering tricks, I was able to retrieve all the personal information used in booking like Name, No. Of occupancy, Email, Hotel address.
It was like there is an IDOR in any endpoint of application that is leaking all the info. After some time I found we can book a stay on call also.
If we can book a stay on call, can we cancel a stay on call?
So at first I call to Mahesh and ask him to book a stay, then I call OYO rooms customer service with my phone. And ask to cancel my last booking and make another booking to another location. I got to succeed. I also try this trick on another friend to cancel his upcoming bookings. It was cool.
Also, see this:- Python Script for Finding tweets with Specific Hashtag.
Things we can do with this
- We can retrieve all personal information of any registered user by knowing OYO rooms registered mobile no.
- Can book stay for any other person?
- We can also cancel any of the booked stays by knowing His/her registered mobile no.
I also attached some recordings of the conversation that I had with OYO customer care. Please provide your valuable opinion in the comment section below.
Moral of the story: There is a term called Infrastructure security comes before Application Security.