Security vulnerabilities in GO-JEK

GO-JEK is an Indonesian unicorn & Uber, Grab competitor

Fallible
Fallible
Mar 24, 2017 · 3 min read

GO-JEK is an Indonesian unicorn transport startup, often seen as the most famous and biggest startup to come out of Indonesia. GO-JEK provides services like biketaxi, cabs, food delivery, mobile payments ticket booking and more.

At Fallible, one of the things we are working on is to try to accurately automate data leak detections even in complex logic flow scenarios and non-standard auth procedures used. During a security audit of GO-JEK public APIs consumed by mobile applications, we found multiple security vulnerabilities in GO-JEK. We contacted GO-JEK with the a sample of data leak for Mr. Nadiem Makarim, the CEO of GO-JEK (partial redacted screenshot below). The GO-JEK response in June 2016 was that they are fully aware of all security issues and fixes are in the current roadmap. We recently contacted GO-JEK and we were confirmed by their CISO that it was alright to do a public disclosure of the vulnerabilities now.

Vulnerability #1 Ride History Data Leak

You can get a list of all rides taken of any user using this API endpoint including the exact GPS co-ordinates. The Authorization token is present but is not being used for validation.

https://api.gojekapi.com/gojek/v2/customer/v2/history/551925748


Vulnerability # 2 Order details Leak

Get the details of orders placed via Go-jek API:

https://gobox-api.gojekapi.com/v1/users/551925748/history


Vulnerability # 3 Users Data Leak

You can get user personal details by their Id number using this API endpoint. This includes their phone number, name, drivers personal details, location of pickup and drop and other ride related information.

And the response would contain phone number of rider and driver along with origin and destination coordinates.

Unconfirmed # 4 Get other user’s Android notifications for GO-JEK

An unusual vulnerability we detected was that you could use another users id in an API endpoint and and you are all set to snoop on GO-JEK notifications meant for that user. We are researching this vulnerability to see if this can lead to several other stuff and would refrain from disclosing the API endpoint for this.

There are several other API endpoints that can be used to corrupt user data & disrupt operations. For example, you could change the reason of cancellation of rides for all cancelled rides for all users. We would refrain from mentioning the write access APIs at this point.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

HackerNoon.com

how hackers start their afternoons.

Fallible

Written by

Fallible

Security for your APIs and cloud endpoints. Visit https://fallible.co

HackerNoon.com

how hackers start their afternoons.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade