Journalists from the German broadcaster were able to access names, phone numbers, profile pictures, email addresses, and location data of oBike’s users online.
They also discovered oBike offered no form of protection for users’ data. When oBike users connected their social media accounts to the app to share invitation codes and completed rides, they openly exposed their personal data, which could be exploited.
The data breach reportedly lasted for at least two weeks.
An oBike spokesperson told CNET that the security flaw was the result of a gap in its application programming interface (API) that enabled users to refer friends to sign up. They have since removed the compromising API.
oBike emphasised that only a small group of users were affected. Passwords and credit card details of users were also not compromised because the app does not store these information.
oBike’s security vunlerabilities were flagged several times by security experts located in Taiwan, as early as June this year, but no action was taken then.
Image Credit: oBike