«GONE IN 60 SECONDS» using carsharing service
The story began corny. I was watching some YouTube video where a guy was talking about car sharing service. He reviewed the “Find_ME” feature which enables a sound alarm in your car, when you can’t find it, let’s say in a large parking lot. I immediately had a thought to check — but what if I can activate this feature on all cars owned by carsharing service ?! Well, that would be fun! Just imagine: a large Russian city. And all of a sudden, thousands of cars begin to flash and blink their headlights. Just like in the movie “Live Free or Die Hard “.
However, everything turned out to be much more interesting. Actually I found the way to steal these cars !
The user interface of the app is standard: download resources, splash-screen and login form.
But then my plan to trick the service fell through. Since I don’t live in Russia anymore, I don’t have a Russian phone number to login into the app. The application does not support international number format. And for some reason I completely forgot about virtual numbers service.
Out of despair I decided to enter +7 000 0000000. And I didn’t even expect to be prompted to the next step with the offer to enter the verification code. 60 seconds countdown started, hinting that the password lifetime is very short. I needed to hurry up.
How? It didn’t make any sense, after all the number is not even real!
This situation made me draw several conclusions:
The application does not check phone number format.
Probably, the format of the number can be changed by intercepting the request.
The application, no matter what phone number is received, sends the command to generate the password for the user.
Ie somewhere in the database there’s password. Which has been appropriated to our beautiful number +7 000 0000000.
In general, this method of user authentication is commonly called OTP (One Time Password).
Ie, the the assigned password can only be used once.
Seems there’s nothing I can do. I might as well just turn off laptop, phone and go to bed. But I did not let go of the thought — what if I picked up that password? After all, There’re only 10,000 possible combinations! The success of this undertaking was doubtful. There’s a way to catch captcha, blocking from server, after all, I could provoke a single call of a “correct password” by Brute force. And in OTP format, re-using this password is not allowed. What can we say about the countdown timer which has long since ended.
The right moment for this gif
I’m prompting for a password api call. Catch it and set the password as dynamic parameter. I set the range of possible values for brute-force. With my fingers crossed, I launch attack. During such attacks I never try to disguise. I do not change ip addresses. I do not use VPN. I do not put a small number of threads. I don’t need it. I have no motive to hide.
The server responds in 60 seconds. Successful password was found.
But is it possible to use it again? After all, this is One Time Password.
In the meantime, the countdown timer in the app has sadly highlighted the password entry field in gray. Hinting at the fact that I am too late.
I set the cursor in the password field. I erase the previously entered password, enter successfully selected password and press the input button.
Here goes another problem. The application says that we are some kind of “unconfirmed user”. And throws us to the main page in a couple of seconds. Either I couldn’t follow out I had planned, or my user really did not pass any moderation, confirmation of documents and all that …
In this situation there were only two options. Looking for friends who use this service or searching for active users who have shown their mobile numbers on the Internet.
Well, as you understand i couldn’t find any friends at such a later time. That’s why I went to look for users. It was the easiest. I found the official community of carsharing on social media. I looked at the comments for the latest posts. Opened profiles of several users. On the 3rd or 4th profile of one of the users, i found published mobile number.
I took this number and went to check the theory of breaking.
In a couple of minutes I was in the app under our hacked user. The user had a huge driving history. Several tens of thousands of bonus money that can be used to rent car. Well, a few cards for payment which were added to the user’s account.
After watching several YouTube videos and reviews, I realised that if I wanted to rent a car from this user, I wouldn’t need to enter any number combinations which protect the car from hijacking through a compromised account.
Well now I am free to rent any car and I don’t even have to show my ID. The hacked user would pay for the car I took, would also cough up the fines for traffic tickets or pay to the casualties of the accidents the car might get into.
By this point I just lose sleep. Of course, the fact that I got access to the user account is not right. But I managed to find a dangerous logical vulnerability.
A few seconds later, I messaged to the manager of the company and their IT head. It was not difficult to find them.
They actually reacted quite well. Without any objection they acknowledged all the problems I’ve discovered. And they started to fix them. In one week or two the problems no longer existed. I was even offered a car for free for a few days. But I preferred not to complicate the life of someone else’s car in a foreign city (during my business trip).
What did we learn from the whole situation:
- Do not neglect the protection from Brute-force.
- Check the phone number format if it is used as a login.
- After a single use, OTP should not work.
- The OTP lifetime must be short, even if it was not used.
- As a login, you do not need to use a phone number.
- It’s worth having an additional authorization of the user when renting a car through a PIN-code (the code that the user sets for himself when registering). The user must enter this PIN in order to unlock the car.
So it goes. I hope you like my story.
