[Responsible disclosure] How I could have booked movie tickets through other user accounts

Bharathvaj Ganesan
Jun 18, 2018 · 2 min read

Note: The vulnerability has been reported and is now fixed.

AGS Cinemas is one of the famous theatres in Chennai, Tamil Nadu. They launched their own movie ticket booking website and apps last year.

“Two CCTV cameras on a gray wall” by Scott Webb on Unsplash

This post is about a simple vulnerability I discovered on AGS Cinemas which I could have used to hack into other users’ accounts easily and without any user interaction.

This gave me full access to other users account by setting a new password. I was able to view ticket history, their credit wallet, and other private information.

Suresh Kumar, the CEO of MacAppStudio (Technology partner for AGS Cinemas) acknowledged the issue promptly, fixed it. There are quite a few humble persons like him who would accept these kind of security bugs, because many would have confronted me on testing their site without their permission.

How the hack worked

Whenever a user Forgets their password on AGS Cinemas, they have an option to reset the password by entering their phone number on the forgot password popup.

AGS Cinemas will then send a 4 digit code to this phone number which the user has to enter in order to set a new password.

I tried to brute force the 4 digit code (eg. 3286) on www.agscinemas.com and wasn’t blocked after even 5-6 invalid attempts. Interestingly, rate limiting was missing from forgot password endpoint.

I tried to take over my own account and was successful in setting a new password for my account. I could then use this same password to log into my own hacked account.

A proof of concept video of the hack

As you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their phone number.

Brute forcing the “randomnums” successfully allowed me to set new password for any AGS Cinemas account.

Disclosure Timeline

Feb 21st, 2018 : Bug was discovered.

Feb 22nd, 2018 : Report sent to MacAppStudio team.

Feb 23rd, 2018 : Acknowledged by CEO.

Feb 24th, 2018 : Issue resolved from their side.

Thanks for reading through 🙌🏼. If you found this article useful, please applaud using the 👏 button and share it through our circles.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Bharathvaj Ganesan

Written by

Fullstack JavaScript Developer | Cybernaut | InfoSec Enthusiast | https://bharathvajganesan.me

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Bharathvaj Ganesan

Written by

Fullstack JavaScript Developer | Cybernaut | InfoSec Enthusiast | https://bharathvajganesan.me

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store