Vodafone, Helpchat — Is this negligence? Or just plain dumb?
What exactly happened?
To begin with, Helpchat, the start-up that basks in the glory of the million+ downloads on Play store and the multiple millions backing it, has rolled out a public beta which I was curious to check-out (you can never be too informed, eh?). Upon exploring the app a little, I found a feature that allows users to view prepaid offers for Vodafone and also recharge/activate those offers from right there. On the surface it looked like a decent feature. But when I looked closely I found a massive screw up.
This feature allows you to enter anybody’s phone number, see & activate plans for them. While activating these plans, there is a “Pay by balance” option. Which means anyone can empty your balance by activating unnecessary plans for you, without your knowledge or permission, just by using your phone number.
Upon contacting Vodafone customer support, they couldn’t help it because, they claimed, the plan was activated by me.
An exposure as big as this can lead to a vast number of users facing the consequences and needs to be shut down within a couple of hours if not minutes. Since Vodafone seemed to turn a blind eye to all this, I contacted Helpchat’s CEO Ankur Singla on Facebook, who then asked me to contact their CTO Vishal Pal Chaudhary. After over 24 hours and contacting the CTO twice, there you are Helpchat, doing nothing about it. So cute.
What is wrong with the whole situation?
- A company like Vodafone, whose services are used by millions of users in our country cannot just open APIs that can be leveraged without user authentication. Firstly, the API that is being used to deduct money from the balance should at least have an SMS verification in-built. Secondly, once an API endpoint is opened to a partner company, it should be thoroughly monitored to ensure no mishaps happen.
- Backed by Sequioa and with $25Million in their pockets, Helpchat has large resources developing the app. A mistake as massive as this one should have never made it into the public beta of a company which must be having an extensive testing team. It’s the kind of mistake that never should have made it beyond alpha tests if not the whiteboard discussions. All it takes is one notorious mind to mess with lakhs of users, using this.
- When you get informed that a bug like this exists and anyone has access to it, an ideal reaction from Helpchat would have been to shut it down within minutes (nuke that feature immediately? temporarily roll back the beta? no?) and make sure no further people get access to this kind of exposure. If anyone from Helpchat is listening, you guys want to fix this right away.
What can we learn from this?
- With great power comes great responsibility. APIs give us a lot information and capacity to do things for the user. That’s a quite some power. If we are using APIs from multiple services in our products, we need to yield this power very carefully and with utmost priority given to the user’s privacy and control. While we are glad to see companies opening up APIs, we need to create an ecosystem where companies opening the APIs (in this case Vodafone) are taking equal responsibility in monitoring the way the APIs they opened are being used.
- This tale has been told time and again but it can never be told too many times. Companies might take access to your information with good intentions, but not everyone uses it responsibly. Be wise while choosing the services you want to share your data with.
UPDATE: The CTO has finally responded after this blog started gaining attention and the Offers feature is removed from the app.
