There are plenty of online shops which offer to print your photos, visiting cards and t-shirts. But do they protect the photos or personal information you share with them? We will find out.
We discovered a security vulnerability in Inkmonk.com (India’s first print marketplace) which leaks all the photos you have uploaded, via a simple API:
Vulnerable API
The ids used in the above API is serially iterable and the response looks like this:
API response
And if you click on one of the URLs in the above response, you will see the pictures uploaded by the users of the website. They do not require any kind of authentication at all. Some examples below:
This security bug was reported to the InkMonk on 19th November, 2017. They acknowledged the existence of the issue and promised a fix in coming days. They even sent goodies for finding the issue.
I contacted them again after a month saying that it is still vulnerable but got no response. Even after a year and a month being passed as of writing this (19th December, 2018) and it is still not fixed.
Sadly, security vulnerabilities take back seat amongst other aspects of running a company.
Key TakeawayFor now, stop uploading your personal photos and personal information like visiting cards online if you care about your privacy.
To technology companies, please prioritize security of your users above everything else.
