#BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company!

Hi Guys,

So one more good hack that I managed to found out during my bug bounty hunt and this comes in India’s largest online auto transportation company. As the title says , I was able to book cab for myself using the victim wallet money. :D . Let’s see what was the whole scenario —

I targeted their web application instead of android app and that I did intentionally. The reason is pretty obvious as companies are more concerned about their android application rather than website just because customer traffic is always more for mobile apps and so their always comes more chances of loopholes where security attention is less.

I went to their site and entered pick up and destination location and was presented with the page to enter mobile number for OTP confirmation —

Mobile number needed to authenticate
OTP Verification

The first general thing that always strikes hunters mind seeing OTP verification is “How to bypass it” . I tried to bruteforce it but some blocking was set on the application after successive wrong attempts. Captured the raw HTTP request to analyse but nothing was helping out. Based on my previous hunt, I have realized one thing that sometime somewhere in the application developers misses server side validation and completely resides on client side .

Let’s try the same thing here . I entered my test mobile number , put the right OTP in the box and saved the success response for it —

HTTP Success Response

As you see, there is no session management hence the only thing left for me is to bypaas OTP verification. Now I entered victim mobile number ,put the wrong OTP and below was the HTTP response —

Wrong OTP HTTP response

I tried bypassing it by capturing the wrong OTP HTTP response and replacing it with the HTTP response of correct OTP and forwarded it and when I did so, I got the following below page —

Ride successfully booked

My ride was successfully booked with victim’s mobile number!!! but the things didn’t stop here. As almost all the cab/auto online platform have their own wallet from where the money automatically deducts if you haven’t chosen some other mode of payment, the same was happening here, money was getting deducted from victim’s wallet hence I was able to book cab with his mobile number using his wallet money. :)

Report details-

03-Feb-2018 — Bug reported to the concerned company.

03-Feb-2018 — Bug was marked fixed.

03-Feb-2018 — Re-tested and confirmed the fix.

09-Feb-2018 — Rewarded by company.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )