Case Study: Foodmandu Breach by 1337mickey
One of the popular food delivery services Foodmandu got hacked on 2020 March 7 at 8:15 pm (NepaliTelecom, 2020). It is one of the most popular cyberattacks in Nepal. The attack was a data dump of more than 50,000 users of food mandu which includes the names, addresses, phone numbers, and email addresses of the public as well as reputed beings (NepaliTelecom, 2020). The responsibility was taken by a Twitter account handle named @mr_mugger (NepaliTelecom, 2020). The hacker also said that he is just giving a demo of data which is 50,000 but he had access to more than 1,50,000 users, but the dump was posted through GitHub account and posted the link on Twitter (NepaliTelecom, 2020). The snap of the tweet is mentioned below.
As the dump, happened the food mandu responded with the patch of vulnerability and then reported CIB (central investigation bureau) for investigation. The target had some server-side vulnerabilities which were SSRF which let the attacker target internal systems that are behind the firewall which are not accessible from the extranet (techpatro, 2020). After the dump, the threat wasn’t only limited to the organization but also the users being dumped. As mentioned in the tweet snap the data was just a demo filtered which saved more than 100k users from being dumped but huge population data was breached. After the dump, the food mandu’s official Twitter handle tweeted with an apology.
As the incident, the police investigated and started a moment called “hackers hunt” (Joshi, 2021). In the mission, the cyber bureau worked on digital evidence as well as the intelligence gathered. Which as a result hacker named Dinesh Tiwari of age 19, from Nawalparasi was arrested (Joshi, 2021). After being arrested, the hacker was punished with the digital electronic act 2063, section-9 was decided by the Kathmandu district court (Joshi, 2021).
The violated data breach was under electronic law 2063 chapter-9. Foodmandu had suffered a security breach with over 50K user records stolen from the food delivery company’s database. The stolen information has an email addresses, personal phone numbers, longitude/latitude (Geo Points), names, location of customers on the night of Saturday on March 7th, 2020.
The hacker blamed food mandu for vulnerability negligence. Also, the hacker said about the vulnerability was reported. The attack was SSRF (server-side request forgery). The solution for SSRF typically could have been setting whitelist domains in DNS, enforcing URL schemas, sanitizing, and validating inputs, enabling authentication on all services. Rather than SSRF, the company should do VAPT frequently almost once in 6 months. The technologies like RASP, IDS, IPS, etc. would have played a great role in preventing an attack on it. Seeing the strong point, the passwords were encrypted, which prevented an account takeover. Using some good WAF, with proper honeypot would have made a completely different scenario. Assigning a dedicated blue team, with a proper SIEM and logging system will have played a lot quicker response. In this incident, we have both positive and
negative parts. Firstly, good cryptographic implementation on password field helped a lot in saving passwords, SSRF is a severe type of vulnerability that can lead to server-side access to an organization, the breach was just a small part of the impact, but a hacker could take over server sides on spreading malware as well as mass social engineering attacks through change on DOM for stored XSS. Food mandu still might have other vulnerabilities so having a proper cyber team is necessary rather than just patching up SSRF on that endpoint. The proper incident response would have deleted the dump from GitHub earlier, which could also work on spreading the dump less. One security researcher’s perspective might not be enough, so taking multiple perspectives of hackers would wide through opening bug bounty program help on identifying new types of vulnerabilities. So as per my analysis, food
mandu had a loss due to the attack but still instead of having access to 150k user’s data, dumping of 50k users, and also not using full access of SSRF saved a company lot more. Attack like chaining the SSRF to RCE and SQLI might have given access of admin to the hacker which would have given supreme privilege. Negligence to vulnerability must be stopped and must act well when reported.
Cyber security is among our basic needs in this information age. Hacking has been a great threat in our normal lives too. Negligence had caused a great loss
of data and wealth in Nepal. Not only food mandu but companies like Vianet and Nepal telecom have suffered cyber-attacks. In common, we can see that proper security technology wasn’t implemented. We can take our cyber incidents and keep them as a lesson, and we can upgrade our security from external or internal threats. Taking these on the lesson we should work on having no longer data breaches with proper use of security technologies and good cryptography.
This is my research on this case of Foodmandu. Security misconception of why will i get hacked has made huge losses, so stay safe and Happy hacking!
Bibliography:
Anthony R. Metke, R. L. E., 2010. IEEE TRANSACTIONS ON SMART GRID. Security
Technology for Smart Grid Networks, 1(1), p. 99.
Bradley Fidler, M. C., 2015. The Production and Interpretation of ARPANET Maps.
IEEE Annals of the History of Computing, 37(1), p. 44.
Cyber Beureo, 2020. Facebook. [Online]
Available at:
https://www.facebook.com/photo/?fbid=1124161651335283&set=pb.100069288816650.
-2207520000..
foodmandu, 2020. twitter. [Online]
Available at:
https://twitter.com/foodmandu/status/1236561259090210816?ref_src=twsrc%5Etfw%7C
twcamp%5Etweetembed%7Ctwterm%5E1236561259090210816%7Ctwgr%5E%7Ctwc
on%5Es1_&ref_url=https%3A%2F%2Ftechpatro.com%2Ffoodmandu-hacked-security-
breach-exposed-50k-user-data%2F
Giri, S., 2019. Cyber Crime, Cyber threat, Cyber Security Strategies and cyber law in
Nepal. Pramana Research Journal, 9(3), pp. 662–665.
Gollmann, D., 2010. Computer security. WIREs Computational Statistics, 2(5), p. 544.
Hang YU, S. W. H. J., 2020. RASP based Web security detection method.
Telecommunications Science, 36(11), pp. 113–120.
Joshi, D. E. D., 2021. Cyber crime in Nepal [Interview] (1 December 2021).
Kleeman, S., 2015. MIC. [Online]
Available at: https://www.mic.com/articles/119602/in-one-quote-edward-snowden-
summed-up-why-our-privacy-is-worth-fighting-for
Murphey, D., 2019. ifsec global. [Online]
Available at: https://www.ifsecglobal.com/cyber-security/a-history-of-information-
security/
NepaliTelecom, 2020. Nepali Telecom. [Online]
Available at: https://www.nepalitelecom.com/2020/03/foodmandu-hack-user-data-
leaked.html
Nepal, r., 2020. foodmandu datadump snap from twitter. [Art] (Republica Nepal).
Savita Mohurle, M. P., 2017. A brief study of Wannacry Threat: Ransomware Attack
2017. International Journal of Advanced Research in Computer Science, 8(5), p. 1938.
Spyriodn Samonas, D. C., 2014. THE CIA STRIKES BACK: REDEFINING
CONFIDENTIALITY, INTEGRITY AND AVAILABILITY IN SECURITY. JISSEC, 10(3), p.
23.
techpatro, 2020. techpatro. [Online]
Available at: https://techpatro.com/foodmandu-hacked-security-breach-exposed-50k-
user-data/
University of Florida Department of Electrical and Computer Engineering , 2016.
Network Security: History, Importance, and Future, s.l.: s.n.
Vinay Pratap Singh, T. P. S. R. M., 2019. Cyber-Attack Resilient Design of Wide-Area
PSS Considering Practical Communication Constraints. IEEE Systems Journal, 14(2),
pp. 2012–2022.
Yadhav, A., 2017. Cyber security. In: Cyber Security. s.l.:Narosa, p. 1.24.
