Today, as the entire development community of India is stunned by the bugs scooped out from the OLA wallet #olahack, I would like to congratulate two of our coders who accidentally found this vulnerability, while working on a weekend project. Shubham and Kartik who are roommates and from the same college are star coders in Kuliza . They were able to hack into one of the most sought after start-up’s with minimal effort.

When Shubham explained this bug, it was really hard to believe. Could this be true? How could the ‘Startup of the Year’, focusing vigorously on tech hiring, miss out on something so critical? Within a day, the corridors of Kuliza buzzed with this information. Judging the speed at which this information travelled, we were afraid  of people misusing this critical news that they had heard, trickling down to a possible hefty price that Ola might have to pay. Quick to our feet, the first thing we did, was to ensure that this news remains within the four walls of Kuliza. The need of the hour – to remain discreet, was communicated to our employees. I think we did pretty well here Hats off to every team member for rising to the occasion,  keeping Kuliza’s ethical culture in mind. Our next step involved testing the complete app from the security point of view. We carried this forward using security and vulnerability research tools like appknox , a standard practice at Kuliza. To our surprise, the app was a let down in several aspects.

Just as recently as two months ago, the Appknox engine reported the Ola Cabs app to be 42.86% unsecured. We then decided to do an in-depth analysis about the bugs which were reported. What we found was that – more than 80% of the apps in the Top 100 grossing applications of the Google Android appstore have problems with incorrect SSL Configuration. Dwelling deep into this matter, we further found issues related to Cryptographic Keys, Insufficient Transport Layer Protection and issues in SSL Certificate verifier. And we thought all this was basic. Or was it?

Identifying these vulnerabilities, we felt the need to reach out to the CEO of Ola, Bhavish. Quickly getting his e-mail id from one of our ex-employee who was his friend in IITB, we sent him an informative e-mail explaining the exact problem, the exact steps on how the error could be reproduced and we even suggested solutions in a blog format. We hoped that this issue would be taken rather seriously. To our surprise, all we got as response to our e-mail, was a standard ‘Thank You’ mail from their security team, intimating us that they will ‘try’ and get this bug fixed at the earliest (along with a request to not make this public). To us, this e-mail clearly meant one thing. Ola had taken this threat with a pinch of salt, not taking it seriously enough to be resolved immediately and treating like a mundane bug report.

Here are some screenshots of the conversation

Screen Shot 2015-03-19 at 9.21.35 AM (1)

We received a response after a day, also requested us not to disclose this information till the bug is fixed.

Screen Shot 2015-03-19 at 9.22.24 AM

After 1.5 months of reporting, the major issues with Ola wallet were finally solved. However, other issues with Transportation Layer Protection, Password Encryption remained and we can only guess how long it might take before these bugs get resolved.

Being an Indian startup, Kuliza shares the same feeling as several entrepreneurs. We would love to see Indian start-ups give a tough fight to biggies like Uber, Amazon etc. Today, with millions of money pumped into our startups, should the focus really be just on competing based on hiring and salaries or, on the other hand, should companies focus on building robust tech processes, providing great mentorship and developing world class product?  Basic issues like wrong DB Design, order Ids can be easily rectified if there is some level of code and design review. While everybody is tilting towards agile development, it’s equally important to keep a check on quality and tech processes which ensure that.

I hope that every startup takes a lesson from this and we as a community come up with some kickass products in the years to come!

Long live #indianstartups #codequality #weekendhackathon

Once again, thanks to Shubham, Kartik and whole Kuliza team. Keep coding and keep rocking.