Carousell has been fined S$58,000 over two separate data breaches in 2022, one of which exposed the personal data of approximately 2.6 million Carousell users. The breaches were detailed in a judgment by the Personal Data Protection Commission (PDPC) yesterday (February 22).
The first data breach occurred in July 2022 when Carousell implemented changes to its chat function. The chat function is a feature that allows potential buyers to send and receive messages to and from listing owners on the Platform.
The changes were intended to be limited to users in Philippines who were responding to property listings, which would allow the personal details of a user (who has given prior consent) to be automatically sent the owner of the property listing, including their first names, email addresses and phone numbers.
However, due to human error, the email addresses and names of guest users (those who did not have registered accounts on the Platform) were automatically appended to all messages sent to the listing owners of all categories in all markets. For guest users in the Philippines, their telephone numbers were also leaked in the messages.
Carousell did not identify the bug at the time. However, one month after the leak, it implemented a fix to resolve an unrelated issue with the pre-fill functionality of the chat function, which unfortunately expanded the effect of the original bug.
Instead of just guest users, the data of registered users were also automatically appended to messages.
Carousell was eventually made aware of the bug via a user report sent on August 18, 2022 and subsequently implemented a fix on August 24 which resolved both the bugs. As a whole, the personal data of 44,477 individuals, comprising email addresses of all affected users and mobile phone numbers of users in Philippines, were compromised.
Following the incident, Carousell deleted all affected personal data disclosed in the chat function by September 3, 2022 and notified users who had written to Carousell about the data breach by September 6, 2022.
A threat actor put up 2.6 million users’ data for sale on an online forum
Carousell was alerted by the PDPC to the second data leak on October 2022 when they identified an individual offering about 2.6 million users’ personal data for sale.
The breach arose when Carousell launched a public-facing application programming interface (API) during a system migration process on January 15, 2022. An API allows computer programs or components to communicate with each other.
However, Carousell inadvertently failed to apply a filter on that API, resulting in a vulnerability which was eventually exploited by a threat actor.
The API’s intended function was to retrieve the personal data of users followed by or following a particular Carousell user. A filter applied to the API would have ensured that only publicly available personal data of these users — their user name, name and profile image – would be called up.
Without the filter, the API was able to call up the users’ personal data, comprising their email addresses, telephone numbers and dates of birth.
A threat actor was able to exploit this loophole by scraping the accounts of 46 users with large numbers of users following them, or who were following many other users. Forensic investigations revealed that this occurred in May and June 2022.
Carousell’s internal engineering team discovered the API Bug on September 15, 2022 and deployed a patch on the same day. After conducting internal investigations to determine whether there had been unauthorised access to its users’ personal data in the 60-day period prior to September 15, it did not detect any anomalies.
The e-commerce platform remained unaware of the exploitation until it was informed by the PDPC on October 13, 2022, after which it identified and blocked the threat actor’s account and notified all affected users by email.
Failure to conduct pre-launch testing, lack of proper documentation
For the first data breach, Carousell failed to conduct reasonable pre-launch testing upon implementing its changes to the Platform’s chat function, said the PDPC. Reasonable code reviews and testing would have detected the bugs before the changes went live.
Carousell admitted that since the changes were only intended to impact users in a specific category of listings (i.e. property listings in the Philippines market), testing was not undertaken to check how the changes may have affected other users and listings outside the intended category.
For the second data breach, Carousell had selectively performed code reviews and tests during its system migration, only for certain purposes and on certain APIs.
The company failed to test the API for data security risks and admitted that it did not mandate comprehensive code reviews for security issues prior to the second breach.
In both instances, the lack of proper documentation also contributed to the breaches. Without proper documentation, developers often have no references to fall back on, and may end up making assumptions about code logic that could produce incorrect results.
When Carousell’s engineer implemented the changes to the platform’s chat function, he did not have the contextual knowledge to realise that such changes would affect other users and categories as he was not the original author of the function. This contributed to the first data breach.
Meanwhile, for the second breach, the APIs involved in the system migration were built in 2016 and did not have proper documentation. Carousell admitted that its employees may not have been aware that they needed to apply a filter to the relevant API post-migration.
Carousell “respects the PDPC’s published decision”
Following the data breaches, Carousell has implemented various measures to prevent the recurrence of similar incidents. This includes the introduction of an automated unit test which ensures that the Platform does not erroneously append any personal data in chat messages, and the configuration of its GitHub repository to scan for and generate alerts for data leakages.
In response to the PDPC’s judgement, a Carousell spokesperson shared that the company “respects their published decision regarding the September and October 2022 incidents, which also notes Carousell’s prompt and effective remediation actions to enhance data security and prevent similar incidents from occurring in future”.
Carousell has been working on addressing the additional recommended remediation steps set out by PDPC in their final decision. Both incidents were isolated one-off incidents that happened due to unrelated bugs that were introduced that have since been fixed.
Protecting our users’ personal information has been and will always be of paramount importance to us. To ensure that we maintain a robust and effective security posture, we continually invest significant resources in enhancing our security infrastructure and cyber security efforts.
– Carousel
Featured Image Credit: Carousell
Also Read: Alleged Razer data breach: Hacker demands US$100K in crypto in exchange for stolen data
