LazyPay, the digital credit platform by Netherlands-based fintech company PayU, was found to have a security flaw that could have allowed hackers to obtain user data such as their full name, gender, date of birth, and phone number, according to a security researcher. He said that the issue was resolved quickly after it was reported to PayU, and the company confirmed the vulnerability but told Gadgets 360 that there was no user data leaked. However, LazyPay has not informed its users about the flaw and its fix.
Bengaluru-based Ehraz Ahmed discovered the vulnerability in LazyPay. He stated that the flaw allowed attackers to fetch sensitive user information by using the phone number of any registered users on the platform.
Upon getting the phone number, an attacker could get data such as the full name, gender, date of birth, postal address, profile picture, primary and secondary email addresses, and know-your-customer (KYC) status, Ahmed explained in a blog post.
He added that the issue was vulnerable as a hacker with minimal programming skills could easily create a program to fetch a series of phone numbers and pass them to the unsecured API to extract sensitive user information in an automated way. The researcher told Gadgets 360 that he found the flaw by tricking one of the API endpoints provided by LazyPay to third-party developers.
Shortly after finding the vulnerability in October, Ahmed reached out to LazyPay parent PayU. The company acknowledged the issue and responsibly fixed it right away. Ahmed reached out to Gadgets 360 with the details about the flaw in late May. After understanding the issue, we communicated with PayU to get further clarity on the matter.
A PayU spokesperson the flaw and also assured Gadgets 360 that its fix was already in place.
“PayU takes the security of our systems and our data very seriously,” the spokesperson said. “We are continuously running checks to ensure that our payment systems are safe and secure for everyone to access and use. The incident with regard to the security gap with LazyPay which was reported in the month of October was immediately resolved. There was no leak of customer information due to this incident.”
The company, however, did not inform its customers directly about the incident that had put their personal data at risk.
Launched back in 2017, LazyPay comes as a “buy now, pay later” offering by PayU to let customers make repayments for their orders online via instalments. The platform is claimed to be accepted across over 250 websites and apps, including BookMyShow, Flipkart, MakeMyTrip, and Swiggy.
LazyPay also offers personal loans up to Rs. 1 lakh through a digital process. Customers signing up on the platform are required to provide their photo ID proofs such as PAN or Aadhaar, alongside their bank details, and a selfie.