LazyPay Security Flaw, Now Fixed, Could Have Been Used to Acquire Sensitive User Information

LazyPay parent PayU fixed the issue quickly after it was reported by a security researcher.

Advertisement
By Jagmeet Singh | Updated: 16 June 2021 15:15 IST
Highlights
  • LazyPay security flaw was found by a security researcher
  • It could have allowed attackers to steal user data from a vulnerable API
  • LazyPay parent PayU quickly responded and fixed the flaw

LazyPay is one of the popular “buy now, pay later” platforms in India

LazyPay, the digital credit platform by Netherlands-based fintech company PayU, was found to have a security flaw that could have allowed hackers to obtain user data such as their full name, gender, date of birth, and phone number, according to a security researcher. He said that the issue was resolved quickly after it was reported to PayU, and the company confirmed the vulnerability but told Gadgets 360 that there was no user data leaked. However, LazyPay has not informed its users about the flaw and its fix.

Bengaluru-based Ehraz Ahmed discovered the vulnerability in LazyPay. He stated that the flaw allowed attackers to fetch sensitive user information by using the phone number of any registered users on the platform.

Advertisement

Upon getting the phone number, an attacker could get data such as the full name, gender, date of birth, postal address, profile picture, primary and secondary email addresses, and know-your-customer (KYC) status, Ahmed explained in a blog post.

He added that the issue was vulnerable as a hacker with minimal programming skills could easily create a program to fetch a series of phone numbers and pass them to the unsecured API to extract sensitive user information in an automated way. The researcher told Gadgets 360 that he found the flaw by tricking one of the API endpoints provided by LazyPay to third-party developers.

Shortly after finding the vulnerability in October, Ahmed reached out to LazyPay parent PayU. The company acknowledged the issue and responsibly fixed it right away. Ahmed reached out to Gadgets 360 with the details about the flaw in late May. After understanding the issue, we communicated with PayU to get further clarity on the matter.

A PayU spokesperson the flaw and also assured Gadgets 360 that its fix was already in place.

Advertisement

“PayU takes the security of our systems and our data very seriously,” the spokesperson said. “We are continuously running checks to ensure that our payment systems are safe and secure for everyone to access and use. The incident with regard to the security gap with LazyPay which was reported in the month of October was immediately resolved. There was no leak of customer information due to this incident.”

The company, however, did not inform its customers directly about the incident that had put their personal data at risk.

Advertisement

Launched back in 2017, LazyPay comes as a “buy now, pay later” offering by PayU to let customers make repayments for their orders online via instalments. The platform is claimed to be accepted across over 250 websites and apps, including BookMyShow, Flipkart, MakeMyTrip, and Swiggy.

LazyPay also offers personal loans up to Rs. 1 lakh through a digital process. Customers signing up on the platform are required to provide their photo ID proofs such as PAN or Aadhaar, alongside their bank details, and a selfie.


Interested in cryptocurrency? We discuss all things crypto with WazirX CEO Nischal Shetty and WeekendInvesting founder Alok Jain on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: LazyPay, PayU, security flaw
Advertisement

Related Stories

Popular Mobile Brands
  1. Best Camera Phones Under Rs. 30,000 for Content Creators in India
  2. Amazon Prime Day 2026: Best Deals on iQOO Smartphones
  1. Amazon Prime Day 2026 Laptop Deals: Best Discounts on HP, Asus, Lenovo, Dell, Acer Models
  2. Best Camera Phones Under Rs. 30,000 for Content Creators in India: Motorola Edge 70 Fusion, Galaxy F56, More
  3. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  4. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  5. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  6. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  7. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  8. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  9. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  10. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.