Payment API Vulnerabilities Exposed “Millions” of Users
According to new information uncovered by CloudSEK, millions of customers may have unknowingly exposed their personal and payment information after researchers discovered API security vulnerabilities that affect multiple different apps. CloudSEK found that of the 13,000 apps uploaded to its security search engine BeVigil for mobile applications, roughly 250 utilized the Razorpay API to facilitate financial transactions. An additional 5% of these exposed their payment integration key and key secret, said the security firm.
The flaw is not an issue with Razorpay AI, which currently serves roughly eight million businesses, but how app developers are mishandling APIs. CloudSEK found that a wide range of companies has mobile apps with API keys that are hardcoded in the app packages, making them easily discoverable. Specific data exposed in this way could include user information such as transaction IDs and amounts, phone numbers, email addresses, and more. The same apps are also typically integrated with other applications and wallets, creating a higher risk.