A Privacy bug was found in the largest Indian online music streaming service Gaana website, which allowed access to private details of users including the date of birth.
A Security researcher Avinash, found an Insecure direct object reference vulnerability, and reported it to the Gaana.com. Gaana.com fixed the bugs after three weeks.
Avinash said a bug in an Internal API gave him access to 11 Million records. A simple HTTP Get request with the corresponding User ID is enough to get their details.
The researcher said he was able to access full name, profile picture, email address, date of birth and last song they listened on Gaana.
In his blog post, he wrote “ On 12th of May I had discovered a vulnerability on Gaana.com. I contacted their team and it was fixed recently.”
When EHN contacted the author about why the original article has been removed from the blog by the author. He replied that "he removed it after getting a request from Gaana.com."
You can find the cached version of the Blog post in Google Cache.
