Connect with us


Uber’s Biggest Rival in Middle East just got Hacked Even After a Pakistani Company Warned them




Careem, today, is the largest competitor Uber has in Southeast Asia as well as in the Middle East and it is currently operating in 80 cities and 13 countries in total and was rumored to be worth over 1.2 billion dollars in 2017. But despite its fame and its success, it has fallen victim to hacking just like Uber has. Careem told its users about this breach of privacy via a blog post which went as follows,

“On January 14th of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected.”

image credits: iStock

After this post went up on their blog, it immediately took the media by storm and people started wondering what had actually happened and how far had their information been compromised, after all, most users argued, someone could easily kidnap them if they knew where they were getting on to their Careem ride and where they were getting off and so, because this was not just a privacy concern but a security concern also, people wanted to know how this happened, what exactly was compromised and who was responsible.

Striking information has come to light that indicates that a Pakistani hacker had reported a flaw in their system that could have caused the information leak a total of 18 months ago before this incident in January, the details of which are as follows,

A Pakistani and his team reported a problem to Careem 18 months prior:

image credits: iStock

Shahmeer Amir the acclaimed entrepreneur and CEO of Vieliux, the ethical hacking company, found an open API endpoint, that enabled the leak of user data and other sensitive information about a year and a half prior to the January breach in security that Careem has just recently experienced. According to Shahmeer Amir, who along with his team took on the challenge of hacking the careem database through the vulnerability they discovered, found out that it was possible to exploit the open API endpoint and through it anyone who wanted to, could acquire all the information they needed about a user of Careem or a Captain. They pointed out two factors that they believe caused this problem.

He says that “I reported it to them 18 months ago, they did not patch it up. Careem says that this is not the flaw behind this breach, but I think this flaw may have aided the breach.”

Vieliux believes that two causes may have contributed to hacking:

image credits: iStock

One, as pointed out in the open API endpoint, which the team reported would produce all the addresses and personal information if it was brute forced.

The other was the lack of entropy in Careem’s booking ID’s.

Careem did not respond immediately:

image credits: iStock

The Vieliux team reports that they informed Careem about this breach at the time of discovery but did not get any reply, they even went as far as to message their twitter account but Careem remained unresponsive for an entirety of 18 months before the breach occurred and several people were victim to the January hacking that led to the loss of important information. It was only after this happened that Careem responded to Vieliux and asked them to fix the breach which they assured Vieliux was not what caused the breach in the first place.

What does one do about the breach?

image credits: iStock

As Careem has mentioned people who have installed the app and created their accounts after the breach are not affected by it but people who have had their accounts before the January of this year should follow instructions given by Careem and should keep their accounts in check and should also change their passwords.

What is Careem doing to solve this issue?

image credits: iStock

In their own statement, they have said that “it is our responsibility to be open and honest with you and to reaffirm our commitment to protecting your privacy and data.” and by revealing the breach they have clearly shown conviction and purpose and are possibly on the road of making sure all its users privacy concerns are heard and taken care off accordingly.

More about this story can be read here:




Join The Doers Club