Zomato agrees to hacker’s demand — will launch bug bounty program in exchange for stolen data deletion

Less than 24 hours after revealing a major security breach that compromised the accounts of millions of users, restaurant search service Zomato revealed that it has engaged with the hacker responsible and has agreed to meet certain conditions in exchange for the stolen data being removed from the dark web.

To recap, India-based Zomato, which claims around 120 million users each month, revealed yesterday that around 17 million email addresses and hashed passwords had been stolen, but it later clarified that 60 percent of those accounts actually used third-party OAuth services — such as Facebook and Google — to log in. But that still left around 7 million users vulnerable, particularly if they used the same email / password combination on other services.

Though Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly and others pouring scorn on Zomato’s cryptographic efforts.

MD5 with a 2 char hex salt – WTF?! "Restaurant App Zomato Says Your Stolen Password Is Fine. But Is It?" https://t.co/2NBTnAdosF

— Troy Hunt (@troyhunt) May 18, 2017

The party claiming responsibility for the hack told Motherboard that they had found the vulnerability in Zomato’s infrastructure around a year ago and that after reporting it to the company had heard nothing back. So they went medieval on Zomato by posting the data for sale on the dark web, which led Zomato to “open a line of communication” with the hacker, who it turns out was “very cooperative.”

“He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” explained Zomato’s chief technologist, Gunja Patidar. “His/her key request was that we run a healthy bug bounty program for security researchers.”

And so that is exactly what Zomato says that it will do. Though the company has had an active profile on HackerOne for more than a year, it has hitherto failed to offer financial incentives for ethical hackers wishing to submit bug reports. Moving forward, that will change.

“We are introducing a bug bounty program on Hackerone very soon,” continued Patidar. “With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”

While the link to the stolen data on the dark web has been removed, there is no guarantee that the data will be destroyed, of course. But given the alleged hacker’s suggested course of action, there is every reason to believe that this is the work of a genuine ethical hacker. And it will hopefully have the desired effect of ensuring Zomato improves its online security.

“This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger,” added Patidar. “We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users.”