Nothing is safe in a hacker conference: not even the coffee machine
The 6th of July 2019 “LeHack”, one of the oldest French underground hackers’ event took place in The Cité des Sciences et de l’Industrie, in Paris. The morning was super cool, I had the chance to meet and chat with a lot of people. After the meal, I started to feel tired so I decided to have a coffee and that’s where this story begins.
This coffee machine is quite standard, so I paid my coffee with my credit card and I was ready to leave when I saw that.
It’s written “Pay with your smartphone! Download the Coffee cApp”. Wait, what? I can pay my coffee with an Android app! I’m a hacker at a hacker conference with plenty of time. It’s time to do my thing.
I downloaded this <sarcasm>very useful</sarcasm> app and started to use it. Spoiler: The next 2 hours were pretty productive.
First I created an account. Interesting, in the response I received an UserId.
After that, I reset the password of my account. In the POST request, we have a parameter called “Password” which is your current password, a parameter called “ConfirmPassword” which is your new password and wait?! What?! a parameter called “UserUId”. The value of this “UserUId” parameter is equal to the value of “UserId” in the account creation response. What is happening if I replace my UserUId with the UserUId of someone else? Let’s try!
To verify if I can reset the password of another account I created a second account. I reset the password of this second account and in the POST request to the endpoint /User/ResetPassword I replaced the UserUId value by the UserUId of my first account. Bingo, it’s working! The password of the 1st account has been reset!
Ok Elliot, that’s cool but to takeover the account you need to have the UserUId of the victim.
In the first request made during the reset process, the app sends your username, which is equal to your phone number, to their server. If this username exists, you will get a 200 response code.
If you send a random username, the server is telling you “UserNotExists”.
I sent everything to the Intruder in Burp Suite and damn! There is no rate limit, you can brute force all the valid usernames and so enumerate all the accounts. By chaining the 2 vulnerabilities we can now takeover all the accounts of the apps.
Pin brute force
Last but not least, I found another vulnerability in the app. When you create an account, they send you a pin to validate your account.
This is the request sent by the app to validate the pin entered by the user. Did I told you there is no rate limit on the server? As a consequence, you can brute force the valid pin.
Ffs, you don’t need to connect everything, an app for your coffee machine is useless.