According to a security agency, Dutch financial technology company PayU’s digital credit platform LazyPay has been found to have a security vulnerability. Hackers may use the vulnerability to obtain user data, such as full name, gender, date of birth, and phone number. researcher. He said that the problem was resolved soon after reporting it to PayU. The company confirmed the vulnerability but told Advertisement Shout that no user data was leaked. However, LazyPay has not notified its users of the vulnerability and its fix.
Ehraz Ahmed of Bangalore discovered a vulnerability in LazyPay. He stated that the vulnerability allows an attacker to obtain sensitive user information by using the phone number of any registered user on the platform.
After obtaining the phone number, the attacker can obtain data such as full name, gender, date of birth, postal address, profile picture, primary and secondary email address, and Know Your Customer (KYC) status, etc. Ahmed in a copy Explained in the statement. Blog post.
He added that this issue is vulnerable because hackers with the least programming skills can easily create a program to obtain a series of phone numbers and pass them to an insecure API to automatically extract sensitive user information. The researcher told Advertisement Shout that he discovered the vulnerability by tricking LazyPay into one of the API endpoints provided to third-party developers.
Soon after the vulnerability was discovered in October, Ahmed contacted PayU, LazyPay’s parent company. The company acknowledged the problem and resolved it responsibly immediately. Ahmed contacted Advertisement Shout at the end of May to provide detailed information about the defect. After understanding the problem, we communicated with PayU to further understand the matter.
A PayU spokesperson stated the defect and assured Advertisement Shout that its fixes are in place.
“PayU attaches great importance to the security of our systems and data,” the spokesperson said. “We have been conducting inspections to ensure that our payment system is safe and reliable and accessible to everyone. The incident regarding the LazyPay security breach reported in October was resolved immediately. No customer information was leaked as a result of this incident.”
However, the company did not directly notify its customers about incidents that put their personal data at risk.
LazyPay was launched in 2017 and is a “buy first and pay later” product provided by PayU, allowing customers to pay for orders online through installment payments. The platform is said to have been accepted by more than 250 websites and apps, including BookMyShow, Flipkart, MakeMyTrip and Swiggy.
LazyPay also provides personal loans up to Rs. 100,000 passes through the digital process. Customers registered on the platform need to provide their photo identification, such as PAN or Aadhaar, as well as their bank details and selfies.