Major bug in Ola Cabs app can be exploited to recharge your wallet for free

Major bug in Ola Cabs app can be exploited to recharge your wallet for freeEditor’s note: A previous version of this article carried a number of factual errors. They have been rectified and we apologise to our readers for the same. 
A newly identified security bug in the popular Bengaluru-based Ola Cabs service allows hackers to enjoy unlimited free cab rides.
Ethical hackers Shubham Paramhans and Prateek Panda who work with startups Kuliza and AppKnox, have tested several mobile applications in the past and point out their vulnerabilities out to companies and also, help them solve the problem. When the duo tried an experiment on Ola’s mobile app, Prateek Panda stated that the app was so vulnerable, breaking into it didn’t even deserve to be called a ‘hack’, as reported by Business Standard.
This glitch was detected by Shubham Paramhans in January when he was trying to hire a cab for a weekend project and came across a vulnerability. He said that he was able to exploit glitches in the Ola API and fool it so that he could recharge his wallet at no cost to him.
“After completing the transaction I started connecting the dots to understand their system. Believe me it was one hell of a easy maths. Simply put, it was a very bad design because all the transaction APIs implemented by Ola were using simple HTTP protocol and sending data in plain white text. This was next ‘woohoo’ moment, because this motivated me to find more loopholes and believe me Ola’s system has a lot of them”, he wrote in his blog.
The post further added that Paramhans had made many attempts to contact Ola but received a standard reply in which they wrote that they were aware of these bugs. A snapshot has also been posted on the blog regarding the same.
According to the post:
In short the issues with Ola are :-
1. Weak design of DB and architecture, and glaringly poor implementation on app.For example order-id is supposed to be unique but you can use same order-id to recharge your wallet again and again.
2. It seems that checksum, card id etc isn’t crosschecked with MobiKwik. You can use any gibberish values in place of checksum & card-id, and the recharge will still be done successfully.
3. Lack of implementation of security protocols like HTTPS or any token validation. While making money transactions, some token validation mechanism should have been implemented. At least proper server side validations should be present.
According to Paramhans, he took the decision to post his findings, because of the poor response by the company.

Share this

Related Posts

Previous
Next Post »