How I found a Critical Vulnerability in Bus Mobile App leads to user account takeover and unlimited free rides.

Photo by Ilya Pavlov on Unsplash

Only For Educational Purpose, I had reported that vulnerability and It has been fixed now.

Hello Hackers,

I am Surya, a really passionate cybersecurity researcher. I recently found a security flaw in a public bus service app. This flaw exposed important API endpoints, which could be used to take over user accounts, track their live locations, and even get unlimited free rides on their buses around the city.

Back Story

I take the city bus every day to get to work. It’s a convenient way for me, my colleagues, my friends, and my roommates to get around town. The bus service has a mobile app that helps commuters track bus locations, find the nearest bus stops, and access other useful information. As a security researcher, I always ensure that the applications I use are safe. That’s why, one day, I decided to test the app to see how secure it was.

Let’s get Started…

I used jadx to decompile the app, there are some alternate to decompile the app as well, but I find jadx more useful because it helps in finding and navigating through the code easily.

# We’re taking the name of the app as base.apk

/jadx-gui base.apk

After going through the code and analyzing the main activity I found some variables that are api endpoints that the mobile app was using to login user, activate the pass, getting the user location and some other useful information. The list of the urls was very big.

I go to their api endpoint and found that there is no protection mechanism implemented, means anyone with the link can use their api. After analyzing all the endpoints and their usage.

I was very clear about what can I do with them, so first I tried to take over my friend’s account, using the number that he registered in their mobile app.

CheckOTP enpoint in the api.

First I go to the check otp endpoint that was taking four fields that are:
1. UserID
2. OTP
3. IMEI
4. DeviceType

CheckOTP Entpoint have 4 Input fields.

We can find all these details from the another endpoint calledgetimei, which takes only a UserId, and returns mobile_number, imei, devicetype.

GetImei Endpoint only takes one user input.

I tried entering a random 1 digit integer value, and got:

Got all the information, I need to validate the otp.

But the information was not enough to takeover a particular user account, because I don’t know the UserId of my friend. So I captured the request in the burpsuite and send the request to intruder.

Firstly I added the userId parameter as a payload position.

UserID field is the payload position

Then, I set the payload type to bruteforcer, I changed the character set to only 0–9.

When I was testing it the first time, I set the Min-Length to 1 and Max-Length to 5. But I haven’t taken the POC of that so now just for demonstration purpose, I’m setting the Min-Length to 4 and Max-Length to 5. As I already know the user id of my friend.

See the Payload Type, Character Set, Min Length and MaxLength

Now, I have set my friends number in the Grep — Match of attack settings

My Friend’s phone number in the grep match of the attack settings.

Then I started the attack and Sort the result by the phone number I entered in the grep match in attack setting.

My Friend’s phone number has been matched.

Now, I have all the details that I need, to takeover my friend’s account.

Firstly, I opened the Mobile application in my mobile and entered my friend’s phone number, then the application had sent the otp to my friend’s phone number.

Then I go to the checkotp endpoint and captured the request of that and added the OTP parameter as a payload position.

CheckOTP captured request.

After configuring my attack payload types and all, I started the attack.

Observe the successful response have different Length and the OTP

For the Correct OTP I was getting reponse Length: 285 and value of OTP in the response, but for Incorrect OTP, I was getting response Length 282 and 500 in place of OTP.

Then I checked my friend’s mobile, about the OTP and the below is the screenshot.

Then I tried with the OTP and It was valid.

Important Things

While I can’t go into full detail for security reasons, I found that the API endpoints could be manipulated in various dangerous ways. For example, someone could use them to activate free bus passes, track user’s live locations, or even change the city’s bus fare rates. These endpoints have the potential for much more severe impacts than these alone.

I hope you liked the updated version of the blog, as it is more detailed.

Do follow for more interesting hacking posts and updates.

Linkedin: @surya-mathur