[Responsible disclosure] How I could have booked movie tickets through other user accounts
Note: The vulnerability has been reported and is now fixed.
AGS Cinemas is one of the famous theatres in Chennai, Tamil Nadu. They launched their own movie ticket booking website and apps last year.
This post is about a simple vulnerability I discovered on AGS Cinemas which I could have used to hack into other users’ accounts easily and without any user interaction.
This gave me full access to other users account by setting a new password. I was able to view ticket history, their credit wallet, and other private information.
Suresh Kumar, the CEO of MacAppStudio (Technology partner for AGS Cinemas) acknowledged the issue promptly, fixed it. There are quite a few humble persons like him who would accept these kind of security bugs, because many would have confronted me on testing their site without their permission.
How the hack worked
Whenever a user Forgets their password on AGS Cinemas, they have an option to reset the password by entering their phone number on the forgot password popup.
AGS Cinemas will then send a 4 digit code to this phone number which the user has to enter in order to set a new password.
I tried to brute force the 4 digit code (eg. 3286) on www.agscinemas.com and wasn’t blocked after even 5-6 invalid attempts. Interestingly, rate limiting was missing from forgot password endpoint.
I tried to take over my own account and was successful in setting a new password for my account. I could then use this same password to log into my own hacked account.
A proof of concept video of the hack
As you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their phone number.
POST /php/otpverify.php HTTP/1.1
Brute forcing the “randomnums” successfully allowed me to set new password for any AGS Cinemas account.
Feb 21st, 2018 : Bug was discovered.
Feb 22nd, 2018 : Report sent to MacAppStudio team.
Feb 23rd, 2018 : Acknowledged by CEO.
Feb 24th, 2018 : Issue resolved from their side.