Careem was informed about their security vulnerabilities by a Security Researcher in June 2017

Careem today announced that it was hit by a cyber attack earlier this year on January 14th. Dubai-based ride-hailing company shared a public apology in a blog post and across their social media channels.

The hackers were able to steal data of all the 14 million customers and captains of the company. The stolen information included names, email addresses, phone numbers and the trip data.

Now we have learned that Careem was informed about similar security issues by a Dubai-based Security Researcher Daniyal Nasir who was able to access information of more than 1.4 million customers and captains of the company.

According to the blog published in June 2017, the hacker was able to access names, phone numbers, email addresses, trips, drivers’ ID card numbers, earnings, and even the pictures. The researcher was also able to access details of all the cars that were part of Careem’s networking including their registration numbers.

Daniyal Nasir is an Independent Application Security Researcher and Bug Bounty Hunter at HackerOne, and Currently Serving as a Security Analyst and Forensics Investigator in a Private Company in UAE. He has been Acknowledged by over a hundred of Reputed Organizations including Microsoft, Sony, SalesForce, Intel, SAP,Buzzfeed, Github, Starbucks etc for reporting major security flaws in their applications.

Daniyal, the researcher, with the team of SecurityWall, a Pakistan-based cybersecurity firm, reached out to Careem to share and discuss the vulnerabilities but did not receive any real feedback.

According to the blog, SecurityWall’s team also tried reaching out to Careem Pakistan’s Managing Director Junaid Iqbal and the company CEO Mudassir Sheikha.

After some attempts, Daniyal and SecurityWall’s team decided not to pursue it any further as according to them, Careem’s team did not seem interested in discussing the issue.

The researchers however after some days noticed that some of the issues that they had reported were fixed without Careem acknowledging their efforts.

The blog noted that even though some issues were addressed, Careem’s application still had some vulnerabilities that were putting data of customers and captains at risk. SecurityWall’s team reached out to Careem again with all the details and the company agreed to launch a bug bounty program for the researchers.

We’re not sure if Careem actually went on to introduce the program but it never made any public announcement regarding it.

We’ve reached out to Careem for a comment on this and will update the story if we hear from them.

To Top