Predict your next investment

CloudSEK company logo
INTERNET | Internet Software & Services / Monitoring & Security
cloudsek.com

See what CB Insights has to offer

Founded Year

2015

Stage

Incubator/Accelerator | Alive

Total Raised

$2.52M

Last Raised

$20K | 2 yrs ago

Mosaic Score

+160 points in the past 30 days

What is a Mosaic Score?
The Mosaic Score is an algorithm that measures the overall financial health and market potential of private companies.

About CloudSEK

CloudSEK is an Artificial Intelligence powered Digital Risk Management enterprise that aims to provide the intelligence needed to tackle online threats.

CloudSEK Headquarter Location

648/L(3rd Floor) BKN Ambaram Estates Swamy Vivekananda Rd

Bengaluru, 560038,

India

+91 080 4374 1298

Latest CloudSEK News

EXCLUSIVE | 10 mobile apps exposing Razorpay transaction keys

Sep 16, 2021

CloudSEK said leaked API details can be exploited to gain personal details of users, like phone numbers and email addresses, and also to initiate unauthorised refunds. Mobile applications of companies like Isha Foundation, Zify and Ruptok named in the report. September 16, 2021 / 05:52 PM IST API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you. [Image: Shutterstock] Nearly 10 mobile applications using Razorpay as payment gateway are exposing secret keys, putting personal data of users at risk, a report by cybersecurity company CloudSEK said. The report made it clear that Razorpay is not at fault and it’s the individual companies that are to be blamed. The 10 mobile applications include those of Jaggi Vasudev’s Isha Foundation, steel trading e-commerce app Steeloncall.com, vehicle hiring app Zify, fintech platform Ruptok and Spark Live. The API keys are exposed in these applications, the report said. About 250 apps use the Razorpay API for financial transactions. API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you. What are the potential dangers? If the API ID and secret key are leaked, they can be exploited to not only gain personal information of users, like phone numbers and email addresses, but also to initiate unauthorised refunds. “An adversary can make bulk purchases and then initiate refunds. Such refunds can also lead to significant losses for the company,” the report accessed by Moneycontrol stated. In fact, during the investigation, CloudSEK was able to access the transaction information for Rs 1,82,813, along with the payment IDs. Using just these two details, an adversary could carry out an refund, the report titled ‘Exposed Payment Integration API Keys Imperil Millions of User’s Transaction Details and PII’ said. Merchant's API key is a combination of a key ID and a secret key that are required to make any API request to Razorpay. While this only makes up 5 percent of the total apps investigated by CloudSEK, these applications have a cumulative download count of 2.5 million. Given that a purported 8 million businesses use Razorpay to facilitate payments, the actual number of apps exposing their API keys could be much higher. The report also warned that besides the risk of orchestrating scams, and even identity thefts using this personal data, a threat actor can either dump or sell the financial information, transaction details, and other personal information of users on cybercriminal forums or dark web marketplaces. Razorpay Responds Razorpay said its API keys are secure. If not, many merchants would have been affected, it said. “Razorpay clearly mentions in contracts signed with merchants that such keys should not be exposed on any public platform,” Hepsibah Rosario, Head of Corporate Communication and Branding at Razorpay, told Moneycontrol. She added that some of the merchants that had their platform keys exposed on public platforms were notified by the company to deactivate it. “We disabled it from our end when we received no response from the merchants or if the data was still public. Customer safety and merchant data is of utmost importance,” she added. Talking about the methodology of the report, CloudSEK stated that whenever a BeVigil user submits an android application for scanning, the company uses scanners and algorithm and gives a rating to the app, based on security incidents found. BeVigil is a free mobile application security testing tool. “There are certain algorithms we use to find the secrets from android applications,” it said in an email response. Is there a solution? For Razorpay and other payment providers, mobile apps “are just one integration. They have integrations with web applications and wallets, and they can even be used on-premise in offices, shops, and other locations. Hence, exposed API keys don’t endanger the app but the entire merchant organisation’s payment data,” the report noted. As a remedial action, the report suggests steps to invalidate the leaked keys and regenerate a new key secret pair. However, doing so could take multiple days to execute, depending on factors such as the number of downloads, the flexibility of distribution etc. It would be a challenge if the app is used in older versions of Android, since getting all users to update to the new version may prove difficult. It further suggested app developers to release a new version of the app with the key removed. “In order to avoid these issues, app developers are encouraged to be cognizant of the long-term effects of exposed API keys and set up review processes to avoid exposing the keys in the first place,” the report concluded. Smriti Chaudhary

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Expert Collections containing CloudSEK

Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.

CloudSEK is included in 2 Expert Collections, including Artificial Intelligence.

A

Artificial Intelligence

7,364 items

This collection includes startups selling AI SaaS, using AI algorithms to develop their core products, and those developing hardware to support AI workloads.

C

Cybersecurity

4,682 items

CloudSEK Web Traffic

Rank
Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

CloudSEK Rank

CB Insights uses Cookies

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.