LazyPay Safety Flaw, Now Fastened, Might Have Been Used to Purchase Delicate Consumer Data

LazyPay, the digital credit score platform by Netherlands-based fintech firm PayU, was discovered to have a safety flaw that might have allowed hackers to acquire person information reminiscent of their full title, gender, date of start, and cellphone quantity, in line with a safety researcher. He mentioned that the difficulty was resolved rapidly after it was reported to PayU, and the corporate confirmed the vulnerability however informed Devices 360 that there was no person information leaked. Nevertheless, LazyPay has not knowledgeable its customers concerning the flaw and its repair.

Bengaluru-based Ehraz Ahmed found the vulnerability in LazyPay. He said that the flaw allowed attackers to fetch delicate person info by utilizing the cellphone variety of any registered customers on the platform.

Upon getting the cellphone quantity, an attacker may get information reminiscent of the total title, gender, date of start, postal deal with, profile image, main and secondary electronic mail addresses, and know-your-customer (KYC) standing, Ahmed explained in a weblog submit.

He added that the difficulty was weak as a hacker with minimal programming abilities may simply create a program to fetch a sequence of cellphone numbers and cross them to the unsecured API to extract delicate person info in an automatic approach. The researcher informed Devices 360 that he discovered the flaw by tricking one of many API endpoints supplied by LazyPay to third-party builders.

Shortly after discovering the vulnerability in October, Ahmed reached out to LazyPay guardian PayU. The corporate acknowledged the difficulty and responsibly fastened it straight away. Ahmed reached out to Devices 360 with the small print concerning the flaw in late Might. After understanding the difficulty, we communicated with PayU to get additional readability on the matter.

A PayU spokesperson the flaw and in addition assured Devices 360 that its repair was already in place.

“PayU takes the safety of our methods and our information very severely,” the spokesperson mentioned. “We’re constantly working checks to make sure that our cost methods are secure and safe for everybody to entry and use. The incident with regard to the safety hole with LazyPay which was reported within the month of October was instantly resolved. There was no leak of buyer info on account of this incident.”

The corporate, nevertheless, didn’t inform its prospects instantly concerning the incident that had put their private information in danger.

Launched again in 2017, LazyPay comes as a “purchase now, pay later” providing by PayU to let prospects make repayments for his or her orders on-line by way of instalments. The platform is claimed to be accepted throughout over 250 web sites and apps, together with BookMyShow, Flipkart, MakeMyTrip, and Swiggy.

LazyPay additionally presents private loans as much as Rs. 1 lakh by way of a digital course of. Prospects signing up on the platform are required to supply their photograph ID proofs reminiscent of PAN or Aadhaar, alongside their financial institution particulars, and a selfie.


Fascinated by cryptocurrency? We talk about all issues crypto with WazirX CEO Nischal Shetty and WeekendInvesting founder Alok Jain on Orbital, the Devices 360 podcast. Orbital is obtainable on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.

Share on:

What’s up, I'm Pawan. A Blogger, trader, and a Affiliate marketer. I love to write on technology.

Leave a Comment