While I was at work, a friend of mine Prasad, pinged me on facebook giving me Olacabs bug bounty URL. I knew they have a program but didn’t try my hand before. I thought this is the call, wouldn’t it be nice if I let him know that I made it?
I came home and sat with hunting Ola. Spent some time in seeing what all they got for me to hack. You know, the reconnaissance is very important stage in any successful attack. I spidered the site with my burpsuite, looked at all the domains and sub domains they have, got an idea on the different types of applications they have. They had a general landing page with links to support, career portals, Olamoney and other sites. I came across the user portal. That looked interesting and it was good enough to look in deeper.. It is far different than what it’s there today. They completely took all these out.
I created a test account and logged in. Tried to find bugs in registration, login, account verification and profile update. All the calls were made to the server side via various REST web services end points. I guess it’s the same backend API used by their mobile apps. I intercepted the requests and tried find bugs but all my tests were pass. Damn, they can’t be so good.. Let’s try looking deeper.
My eyes fell on the Rides page on the same portal. It allowed the user to see all the historic taxi ride details. I didn’t have any rides there as my account was just signed up. I personally used Olacabs many times earlier so I logged in with my personal Ola account. The Rides page functionality was split in two phases: First send an API request to get the list of rides. It returned a summary of all the rides (with pagination) like date of journey, bill amount and the booking references of the rides. When I clicked on a single ride, it passed the booking reference to the API with endpoint URL: /api/get_bookings to get the remaining details of the ride. This JSON Response contained the pick up address, drop address, the taxi vehicle details and the bill amount of the booking. That looked interesting, what would happen if I pass the booking reference id that doesn’t belong to me?
I quickly logged in as the test account that I created before. Replayed the same HTTP Request with booking reference id that belonged to my personal account. Ola!! It returned the same real details of my ride. Technically, they didn’t have an authorization check in the API. It just returned the booking details without confirming who is asking.
The booking id was alpha numeric with about 10 characters in length. Being one of the top service providers in the country, they should have a huge list of bookings in the database. It wouldn’t be difficult for an attacker to brute force the booking id and collect the confidential data of the Ola users.
I submitted the bug report to them. They took a long time to resolve. I got the following response after waiting a month or so:
They said they will initiate the bounty payout process based on the severity and impact. I confirmed them that I can’t reproduce the bug and looked like it is fixed.
They mentioned the Severity of the vulnerability is low as the booking id of another user is hard to get. Well, that’s debatable, but I agreed to their decision and sent them my details for the hall of fame as well as for the Rewards.
The fitness band was not impressive but I loved the T-Shirt. I wear it to office sometimes.
The hall of fame got updated with my name.
Issue Report: 10th of August, 2016
Issue Fix: 16th of September, 2016
Swags received: 26th of September, 2016
Hall of Fame: 8th of November, 2016
I did tell Prasad that I made it! Hope you enjoyed reading this. Let me know your thoughts on the comments. See you again!
Find me on the social media: