Bykea, the two-wheel ride-hailing service provider, has confirmed that Safety Detectives helped it resolve a vulnerability in its database. However, the white hats, or ethical hackers, were not given either the bounty or recognition they deserved, it said.
“It was not a data breach,” said Rafay Baloch, a cybersecurity researcher. “They [safety detectives] found a loophole [vulnerability] in Bykea’s servers leading to data exposure."
Bykea endured a hacking attempt in August 2020, when the company’s data was hacked but the hackers couldn’t do anything except deleting it. The company said the data was restored in 24 hours from the backup.
In November last year, Safety Detectives reported another vulnerability on one of Bykea’s backup logging nodes. The company had it fixed but as a standard practice did not recognize it or offer any bounty.
“All big tech companies such as Google have their Vulnerability Disclosure or Bounty programs,” Baloch said. "Bykea has now announced it."
Baloch criticized Safety Detectives for reporting a vulnerability as if data had been breached. He, however, said that a loophole was pointed out and the data could have been breached. Bykea also confessed that its rider data was not encrypted.
Safety Detectives recently published an article ‘Multimillion-dollar Pakistani delivery company leaks 400+ million files’ on Bykea’s vulnerability. It said that 200GB of data was exposed, not breached.
Bykea says that its representatives were in touch with Safety Detectives and acknowledged that it helped the Bykea security team resolve the vulnerability.
“Unlike what bloggers in the aftermath of the article on Security Detectives’ site inferred, this was a vulnerability identification, not a breach of data for criminal purposes,” Bykea said in a statement.
“The citation of 400 million files mostly comprises millions of GPS pinpoints that Bykea solicits in tracking over a two-week period in 2020 and drivers can be rest assured that national ID data is encrypted now on Bykea.
“Security researchers and teams like Safety Detectives play a crucial role in creating awareness and helping companies all around the world identify and plug their weaknesses, a contribution Bykea explicitly welcomes,” Bykea founder Muneeb Maayr said.
The company said that it has engaged cybersecurity firms including SecurityWall that ran pen tests on Bykea’s infrastructure and launched a vulnerability disclosure program with HackerOne.
“The company is exploring ways to build ongoing collaborations with ethical hackers to advance their mutual interests of building a secure digital economy protecting personal information,” it added.