Bykea, the ride-hailing, mobility, and delivery app — used by several Pakistanis in different cities — was reported to have been hacked Tuesday after users started receiving highly inappropriate text messages from the app.

“We apologise for the inappropriate messages sent through Bykea. We can confirm that this was a third party communication tool which got compromised,” the company said in a statement.

The company also claimed to have restored the app, which it said was now “fully functional and safe to use”.

After the news breaks out, we ran a vulnerability scan vulnerability scan of the Bykea Android app using Yaazhini, several security loopholes were identified. Firstly, the app was observed to utilize the HTTP protocol instead of the more secure HTTPS protocol, potentially exposing user data to interception or unauthorized access.

Additionally, the presence of enabled JavaScript within the Android WebView creates a vulnerability for cross-scripting attacks, enabling malicious actors to execute unauthorized code and potentially compromise user information.

Furthermore, the use of hardcoded IP addresses in the app was noted, which expands the potential attack surface and makes it easier for malicious users to target specific servers or services. To ensure the app’s security, it is recommended that Bykea addresses these vulnerabilities promptly by implementing HTTPS, disabling JavaScript in the WebView, and adopting more secure practices for server addressing.