Careem notified of vulnerabilities as early as 2016, experts say
The firm reportedly ignored multiple alerts about security flaws
Middle East taxi-hailing app Careem repeatedly dismissed or ignored attempts by ethical hackers to try to alert the company to security vulnerabilities as far back as November 2016, it emerged on Wednesday.
In an emailed statement, Babar Khan Akhunzada, founder of Pakistani firm Security Wall, told Gulf News that the company had alerted Careem to a serious security flaw last year, receiving an automated customer service message in response.
“Last year [Security Wall associate Daniyal Nasir] found a vulnerability on Careem’s web application,” Akhunzada said. Daniyal said he could access the confidential records of 1.4 million customers, including trip data and telephone numbers. The same data was stolen in January’s hack, Careem said.
Gulf News has seen screenshots from Security Wall which confirm their ability at the time to access users’ private records.
Careem said in an email that ■ “like many companies, we frequently receive messages from independent security researchers on potential technical issues.” It added that “we are actively reviewing our process to see how we can work better with this incredibly helpful community — who can reach us at security@careem.com.”
Experts say that often, companies fail to act on important notifications of vulnerabilities, simply because they are inundated with a mix of real, and sometimes fake, alerts. “As a platform sees more scale, it can become increasingly difficult to sort the sheer amount of inbound threat reports,” Omar Kassim, CEO of Esanjo told Gulf News.