What is Lazypay?
LazyPay is one of the most popular ‘pay later’ platforms in India. It also has a first-of-its-kind digital credit card called LazyPlus. It combines Unified Payment Interface (UPI) and the buy-now-pay-later concept to “help users access real-time credit using UPI omnichannel networks, including offline merchants and e-commerce platforms.” (Ref: Livemint)
What is the Flaw?
A Security Flaw was found in one of their API that allowed hackers to fetch sensitive user information using the user’s phone number in the request and information such as — Profile Picture, Name, Gender, Date of Birth, Postal Address, Primary & Secondary Emails, Secondary Mobile Number, KYC Status (If it’s verified or not), and Account creation date was being leaked.
Why is it, Big?
LazyPay has 20 lakh active users and plans to reach 50 lakh customers within this year. (Ref: Livemint)
The information of these users was at risk of being leaked online. The hacker with minimal programming skills can easily create a programme to generate a series of phone numbers and pass it to the API to extract information automatically.
The company acknowledged and responsibly fixed the flaw as soon as it was notified.