Many Security Holes: BHIM APP

It appears that the Bhim App is not as kosher from a security and privacy point of view as some of the media articles tout it to be.

Bhim App
Senthil from Chennai has tweeted the following about Bhim app and I, Samir Kelekar, a software professional tested it.
Last week, Kelekar had written exclusively for Sabrangindia saying, how in a hurry to present one more sop before the coming crucial 2017 elections in five states, the Bhim APP has been released without even the basic functionality testing
St_Hill on Twitter

This is highly interesting.
When one uses the Request Money feature in Bhim, and inputs a mobile number, in the next screen Bhim reveals the name of the person from whom money is requested provided of course
he/she is also a Bhim user. There is no need to send any money to the person. This has huge implications.
By writing a bot ( automated program)  that continuously loops through one number at a time sequentially, one could actually  make a reverse directory listing of all Bhim users ( currently more than 3 million users).
The reverse listing can then be reversed to make a regular listing. The reverse listing is exactly what TrueCaller provides as a service. True Caller however has some protection to protect itself from bots. True caller also used to allow one to remove one's  name from its list. This was as of a few years back.
So, if you are a Bhim user, and are concerned about your number being leaked out, sorry hard luck. Obviously getting a bot working is not a trivial job, but for professional hackers this is all in a day's work.
I tried to confirm what Senthil wrote, and input my friend Dinesh Bareja's number in Bhim app, and this is what I got. (The number is redacted for privacy purposes).

So, what then is the real story with Bhim?
For one, if you are concerned about your number getting leaked, you should uninstall Bhim till this issue is fixed.
Incidently,Paytm also has a similar functionality of sending money  based on mobile numbers.
While I havent tested Paytm, I believe ( prima facie) the name of the person is revealed only after the money is sent.
The question also arises whether all the payment functionalities in the Bhim App are in order.
While one cannot definitively say anything at this point, the sloppy testing that has gone behind Bhim revealing the two bugs (see my earlier article  Cashless disaster: Bhim App Released Without Basic Security Measures in Place) should be a huge sign of caution to all security conscious users.
 (The author is a security professional based in Bangalore)



Related Articles