How we hacked the kicksharing


Foreword

One fine spring evening, I came up with a great idea – to try to reverse the private API of one of the largest scooter sharing in the Russian Federation. I must say right away that the director of the company personally gave me permission to publish this material, but asked not to name the names and the name of the service. I will also say that not instructions for actionafter all The vulnerability has already been fixed. and it makes no sense to try to reproduce it.

Target

To begin with, let’s define the purpose of our study – to understand how the interaction with the server takes place, how the scooter starts up, and whether it is possible to intervene in this process in order to benefit.

Training

Great, with the goal decided how to implement it?

To intercept data packets that are exchanged between the client and the server, we need sniffer. The sniffer will help us get into the data transfer by means of Man In The Middle attacks.

How a MITM attack works.
How a MITM attack works.

There are a lot of sniffers, but I like it HTTP toolkit (for reasons I do not understand, it is not available in the Russian Federation without a VPN).

Great, there is a sniffer, we connected everything, but here’s the problem. Modern applications use TLS to ensure data security. It turns out that without a private key, we will not be able to read the data, much less modify them.

This is where the process of replacing certificates in Android comes to our rescue. In short, we simply add our certificate to the system, the keys to which we know in advance. Accordingly, everything that is transmitted using this certificate can be decrypted

Replacing the certificate is easy, but Android applications are often reluctant to send data using our certificate, because they do not trust it.

There are two ways here:

  1. If you have root. Use the HTTP toolkit’s built-in functionality and set your certificate as a system certificate, which will convince all applications to trust it.

  2. If you don’t have root. Change application settings by decompiling it. For this you can use apkmitm.

Since my phone has root rights, I went the first way. I just fired up the HTTP toolkit, connected to the phone and it installed its own certificate as trusted. Now all applications in which there is no protection against certificate spoofing will send data using my certificate.

reverse engineering

Great, we prepared everything, changed the certificates, set up the sniffer. It’s time to start reversing.

First of all, after opening the application, we see the following.

Server Requests
Server Requests

Here we see authorization, obtaining information about scooter models and whether I have a subscription to their service, there is also a request for in which cities this service is available.

In fact, there are a whole bunch of requests and we will analyze each of them until the morning.
So, in order to reduce the length of the article, I will immediately jump to the request that allowed me to hack the service and get my bug bounty for it.

I got a request /gatewayclient/api/v1/order/make

This request is to start renting a scooter and there are actually few parameters in it. In addition to the required authorization token and other boring headers, there are only 6 parameters. locationLat, locationLng, isQrCode, rateId, Identifier и withInsurance

locationLat и locationLng these are the user’s coordinates, they are there so that the user does not take scooters that are too far from him

isQrCode и withInsurance these are boolean values ​​(true or false) that are responsible for whether the user took the scooter by qr code and whether he took out trip insurance.

And the most interesting parameters – Identifier и rateId

Identifier – scooter number

rateId – id of the tariff for which we take the scooter

Got me very hooked rateId since in theory, you can change it and take a scooter at a different rate.

I decided to see what their rates are. It turned out that indeed, for each price there is a rateId

for example

5 r/m

j123id901k

8r/m

1asda2dasd

10 r/m

2ad32ad3a4

I made up all the id’s so as not to show the real data, but the alignment there is about the same.

Unreal fun

I immediately ran to write a small script based on the module mitmproxy for python. This module allows you to catch requests and modify them on the fly. I wrote a small addon for this mitmproxy that replaced the coordinates with coordinates next to the scooter so that you could take the scooter anywhere. And added a tariff substitution, to the cheapest one. As soon as the software was ready, I quickly uploaded it to my phone and launched it through Termux (this is such a very cool terminal emulator for Android).

I ran to the scooter, picked up the proxy, and rented it. I looked at the phone and realized that I rented a scooter for 2 rubles per minute instead of the required 10.

My pants were full of joy, that evening I rode this scooter for almost an hour, paying only 120 rubles for it, instead of the prescribed 600+

bug report

Of course, I was extremely happy with my success, but we are all decent people and white hat hackers. Therefore, I rode a little more on cheap scooters and wrote an email to the support of this service, in which I outlined the essence of the vulnerability and gave suggestions on how to fix it.

They answered me literally in 10 minutes and gave the contact of their director, they said to contact him.

I explained it to him, he thanked me and asked what I want as a bug bounty. In principle, I don’t need money, and some kind of merch too, so I just asked to give me more bonuses, because I myself use their service. In 10 minutes I already had my precious bonuses, which will most likely be enough for me for a couple of years ahead.

How to prevent it? Fix

In general, fixing this vulnerability is quite simple. All that needs to be done is to check if the tariff submitted by the user is available for the scooter that he takes and if not, refuse to rent him.

Conclusion

In conclusion, I will say that in fact the vulnerability lies on the surface, but I had to go a long enough way to get to it and I was satisfied with the end result. I hope this case will give you at least a rough understanding of how services are tested for vulnerabilities and maybe one of the readers will be able to contribute to improving their favorite service.

Thank you all for your attention, good luck.

Always yours, @moscow_intelligent