Nothing is safe in a hacker conference: not even the coffee machine

Elliot Alderson
Jul 11 · 4 min read

The 6th of July 2019 “LeHack”, one of the oldest French underground hackers’ event took place in The Cité des Sciences et de l’Industrie, in Paris. The morning was super cool, I had the chance to meet and chat with a lot of people. After the meal, I started to feel tired so I decided to have a coffee and that’s where this story begins.

Introduction

This coffee machine is quite standard, so I paid my coffee with my credit card and I was ready to leave when I saw that.

It’s written “Pay with your smartphone! Download the Coffee cApp”. Wait, what? I can pay my coffee with an Android app! I’m a hacker at a hacker conference with plenty of time. It’s time to do my thing.

Description of the CoffeecApp in the Play Store

I downloaded this <sarcasm>very useful</sarcasm> app and started to use it. Spoiler: The next 2 hours were pretty productive.

Account Takeover

Response of the account creation request

First I created an account. Interesting, in the response I received an UserId.

Password reset request

After that, I reset the password of my account. In the POST request, we have a parameter called “Password” which is your current password, a parameter called “ConfirmPassword” which is your new password and wait?! What?! a parameter called “UserUId”. The value of this “UserUId” parameter is equal to the value of “UserId” in the account creation response. What is happening if I replace my UserUId with the UserUId of someone else? Let’s try!

To verify if I can reset the password of another account I created a second account. I reset the password of this second account and in the POST request to the endpoint /User/ResetPassword I replaced the UserUId value by the UserUId of my first account. Bingo, it’s working! The password of the 1st account has been reset!

Ok Elliot, that’s cool but to takeover the account you need to have the UserUId of the victim.

Account enumeration

In the first request made during the reset process, the app sends your username, which is equal to your phone number, to their server. If this username exists, you will get a 200 response code.

If you send a random username, the server is telling you “UserNotExists”.

I sent everything to the Intruder in Burp Suite and damn! There is no rate limit, you can brute force all the valid usernames and so enumerate all the accounts. By chaining the 2 vulnerabilities we can now takeover all the accounts of the apps.

Pin brute force

Last but not least, I found another vulnerability in the app. When you create an account, they send you a pin to validate your account.

This is the request sent by the app to validate the pin entered by the user. Did I told you there is no rate limit on the server? As a consequence, you can brute force the valid pin.

Conclusion

Ffs, you don’t need to connect everything, an app for your coffee machine is useless.

Elliot Alderson

Written by

French security researcher. Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others. Not completely schizophrenic. Not related to USANetwork.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade