LazyPay Security Flaw, Now Fixed, Could Have Been Used to Acquire Sensitive User Information

LazyPay, the digital credit score platform by Netherlands-based fintech firm PayU, was discovered to have a safety flaw that would have allowed hackers to acquire consumer information comparable to their full title, gender, date of start, and cellphone quantity, based on a safety researcher. He mentioned that the difficulty was resolved rapidly after it was reported to PayU, and the corporate confirmed the vulnerability however advised Devices 360 that there was no consumer information leaked. Nevertheless, LazyPay has not knowledgeable its customers concerning the flaw and its repair.

Bengaluru-based Ehraz Ahmed found the vulnerability in LazyPay. He said that the flaw allowed attackers to fetch delicate consumer info by utilizing the cellphone variety of any registered customers on the platform.

Upon getting the cellphone quantity, an attacker may get information comparable to the complete title, gender, date of start, postal tackle, profile image, major and secondary e-mail addresses, and know-your-customer (KYC) standing, Ahmed defined in a weblog submit.

He added that the difficulty was susceptible as a hacker with minimal programming abilities may simply create a program to fetch a sequence of cellphone numbers and move them to the unsecured API to extract delicate consumer info in an automatic means. The researcher advised Devices 360 that he discovered the flaw by tricking one of many API endpoints supplied by LazyPay to third-party builders.

Shortly after discovering the vulnerability in October, Ahmed reached out to LazyPay mum or dad PayU. The corporate acknowledged the difficulty and responsibly mounted it straight away. Ahmed reached out to Devices 360 with the main points concerning the flaw in late Might. After understanding the difficulty, we communicated with PayU to get additional readability on the matter.

A PayU spokesperson the flaw and in addition assured Devices 360 that its repair was already in place.

“PayU takes the safety of our methods and our information very critically,” the spokesperson mentioned. “We’re repeatedly operating checks to make sure that our fee methods are secure and safe for everybody to entry and use. The incident with regard to the safety hole with LazyPay which was reported within the month of October was instantly resolved. There was no leak of buyer info as a consequence of this incident.”

The corporate, nevertheless, didn’t inform its prospects instantly concerning the incident that had put their private information in danger.

Launched again in 2017, LazyPay comes as a “purchase now, pay later” providing by PayU to let prospects make repayments for his or her orders on-line through instalments. The platform is claimed to be accepted throughout over 250 web sites and apps, together with BookMyShow, Flipkart, MakeMyTrip, and Swiggy.

LazyPay additionally affords private loans as much as Rs. 1 lakh by means of a digital course of. Clients signing up on the platform are required to offer their picture ID proofs comparable to PAN or Aadhaar, alongside their financial institution particulars, and a selfie.


Focused on cryptocurrency? We talk about all issues crypto with WazirX CEO Nischal Shetty and WeekendInvesting founder Alok Jain on Orbital, the Devices 360 podcast. Orbital is on the market on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.