Security Researcher Saved Careem from a Data Breach

Security Researcher Saved Careem from a Data Breach

Careem App is a car booking platform based in UAE that offers traveling services by which people can book a car on their doorstep in a couple of minutes. Careem App is known for its pick-and-drop service with the most comfortable and safe environment all over UAE, PAKISTAN, AFRICA, and more countries. But, what if this multinational organization gets comprised by hackers and their billion dollars worth of customer data gets leaked? They’d have nothing to do except regret.

SecurityWall team tends to secure cyberspace and secure our local applications' existence. We have helped many local and multinational brands but this story is just to aware the local audience and the developers about how an application that seems secure isn’t secure from every end.

We can’t disclose the affected domains and any type of private information due to some security reasons

Careem Reply to Daniyal Nasir

This kind of auto-replies hurt companies where reporters like "Daniyal Nasir" tends to secure application and customer services have this kind of mail to respond. In the past SecurityWall team did report to Zameen.com, and PakWheels, where they replied with such auto-responding messages and after months they get through the same parameters which we reported.

Data Leaking

After waiting a lot of time for a positive response, we realized that they were not interested to improve their application’s security nor interested to save Careem from a big data breach. We left them as it is.

After some days, the researcher noticed that the low-hanging issues has been fixed by Careem without even knowing us which was sad, but still, many vulnerabilities were present at that time which could be harmful to their business and also a huge loss of their customers, drivers, vendors. Two Days ago we contact them again with detail and Careem agreed on launching a bug bounty program to involve security reporters, but we don't have any clue when it will get started and where reporters can report, Hopefully, we can push an update here.

This Post is just to aware brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to notify and report which we did to Careem, and this was not our first time to report critical issues. We have reported many vulnerabilities in top reputed brands and organizations where they have appreciated our ethical approach and now are into pen-testing their apps. A good approach isn’t it?

We hope local brands will learn something productive from here.

Have any questions? Ping us