Investigating a single hack or how to quickly and easily spend a billion
UPDATE: Hello everyone! Today I was surprised to learn from colleagues about this record. It turned out that my account was hacked - the representatives of Habrakhabr confirmed this and restored my access and now they understand how it happened. But I leave this entry as it is for history.
Yandex representatives have already noted in the comments: they say that the vulnerability is closed, software security is being audited.
And, taking this opportunity, I want to remind you that the program “ Check Badoo for Strength ” has been going on in Badoo for several years and we are paying for the vulnerabilities found.
All around are constantly talking about corruption. And I want to tell you about the case, corruption is very similar, but in the environment of pure IT business, the state is not tied to.
')
The case described below is interesting precisely from the point of view of hacking a business, although the article is more devoted to hacking in the sense of IT.
I'll start with the non-technical part.
My classmate friend works in the Moscow taxi business. Works in this business for many years. Several years ago, when a major player entered the Moscow taxi market (and now a monopolist), Yandex, then my friend, of course (like all the other small and major players in this business) also joined Yandex Taxi orders.
For several years he has been working in Yandex.Taxi using the software of ROSINFOTECH LLC .
Somewhere about six months ago, Yandex acquired this company and now this software is called Yandex.Taxometer or something like that.
What is this software: this is a driver management kit (you can add / remove a car / driver), as well as accept / cancel the order.
So, I promised that I would start with the non-technical part. For several years this friend of mine has been complaining to me at personal meetings about the eternal Russian problem: “they are stealing”.
Tells that they steal drivers, orders and even, according to rumors, money from QIWI-wallets ...
I treated this somehow philosophically. Well, the person complains about life. The driver left (took him) to another company, and he thinks that it was stolen is a common story. But this weekend, he still begged me: “Ivan, yes, yes, you (as you say) are not a security specialist, but see how they can steal drivers from me? You're an IT person, after all! ”
We sat with him in a cafe with WiFi and began to look.
I’ll finish non-technical introductory by saying that, according to rumors, among the companies working with Yandex-Taxi, which also come from Rosinfoteh, Yandex acquired the above software for a billion.
Remember this number, we will need it at the end of the article .
So, the entry is over, let's move on to the technical part.
He gave me a login / password from his personal account in the control room, and I went in there.
Everything is simple there: list of drivers: add / remove / block / print. Reports, orders, etc. Climbing a bit on the pages, I noticed that almost the entire site is built on the fact that UUIDs appear in the links or queries.
By clicking on the driver, you can see that the driver's UUID appears in the information link for him.
Then it became interesting to find out three questions:
Having walked through the pages of my personal account, I noticed that the UUID is also assigned to companies too.
“Aha!” I thought and began to ask my friend if he knew what a UUID is and if he used it somewhere. He says: “Yes, in Yandex’s private office I pointed out the URL to the API”. “Come here,” I say, “this url.” He gives me something like this
It remains to learn the UUID of other companies. How to do it? As I said above, in some places on the site, a clanky Ctrl-U in the browser shows the UUID of other companies, but I was interested to get the UUID addresses of ALL companies using this software. We rummaged around the urls for about half an hour, using Ctrl-U, and found at once many ways to do this.
For example, this beautiful JSON tells us a similar list:
Please note that the list affects all regions of the country at once, not only Moscow.
Well, or similar lists are found in various selets, lists, etc. There are many such places. However, we continue further.
It became interesting to return to the driver cards and consider them closer. To do this, we chose one of the Moscow companies - we took XML with all its drivers (which, as described above, is available without authorization) and continued to experiment on it.
We took a couple of drivers from this XML, entered their UUID in a card in your account. We looked at the driver card. Ratings, when I took a taxi exam, license numbers and so on - everything is clear. Information about any driver (including someone else) is available by urla with a UUID .
It is like extended information (more than the above XML).
Probably, the developers of this software about the concepts of "authorization", "authentication" have not heard, and even more so about the difference between them.
In the same place, sitting in a cafe, I sketched a script in Python, and after 20 minutes we had a database of all Yandex.Taxi drivers in all cities (not only in Moscow) with their phones, ratings, license numbers, license numbers, account balances and other private information.
We got something like this XLS file:
So I got a physical evidence of more than two years of my friend's suspicion about driver theft.
Then it became interesting to look a little wider at this problem: the availability of these UUIDs without authorization at all. It turned out, and it is!
This software offers a fairly wide range of related services. For example, a taxi order web form on the website of the client company.
Looking (Ctrl-U) at several partner sites Yandex-taxi, how do you think I found there? Right! UUID of these companies, by which (remember) you can get all the drivers for free.
Thus, I do not exclude that any search engine (including Yandex) once will index all these private data of companies and people.
Then we looked at another resource without authorization of this company. In public access is a real-time log of all orders in Yandex-taxi. You can see who is assigned to what is happening to him, who performs, the address of filing and so forth.
Pressing Ctrl-U on this page, we see the ID of the order, the company for which it is assigned.
So we got to the bottom of ID orders of other companies on an unauthorized page (on authorized ones, they also exist, but I repeat: it was interesting to find on an unauthorized one).
Further, using the tools available in different parts of your personal account, we can not only observe, but also influence the process : for example, you can depict the cancellation of an order for someone else’s company, and send the car instead of it!
For the driver, it will look like canceling an order. For the client - as “another car arrived”.
It's just some kind of Klondike for someone who is configured for dishonest ways of doing business!
The most interesting thing is that this is not just any one hole, but all of the software is entirely, the whole service is built on the fact that there is no ANY information protection. The product is simply a sort of database records viewer without any protection between users.
Imagine having logged in to Google, you could see all the mail of ALL Google users. Here is about such a case.
However, we will continue. The complex contains another application for android. Taking the application "Taximeter" from the android market, we quickly found out that it makes requests for unauthorized urls . And the first unauthorized http request that makes this application - guess which one?
That's right, a complete list of UUID-company name pairs!
Using URLs taken from this application, you can:
and so on.
Here I received another confirmation that not only drivers can be stolen, but also orders from these drivers.
They say that cunning people have even released a special application on this topic for intercepting Yandex.Taxi orders. It’s a pity, they just didn’t post an Android market (or did they post it? We’d have to look at the paid sections of the market).
Well, now let's think a little about the topic about which I wrote at the beginning.
Corruption or not corruption.
Yes, Yandex is a private company. The word "corruption" does not apply to it. However, an interesting question arises: here Yandex buys for a huge amount of money (billion) a software package. At the same time, judging by the above picture, NO technical audit of this software package has been performed.
What I found (an ordinary IT person) in a couple of hours of digging at a cafe, a security specialist would have found without much difficulty, but the question is: why didn't this specialist (of which Yandex have enough) not even look into this complex for a billion?
Do you think this complex was purchased using the kickback system, or not?
It seems to me that, conducting a transaction for a billion, I don’t have to allocate 10 thousand rubles for one working day of a specialist to conduct an audit ... ugh ... or conscious negligence, or just want to get rid of a billion quickly.
The explanation that this is bought using a rollback is, in my opinion, the most logical one.
An interesting question: who in Yandex made the decision to buy such a “big hole”? Probably, they should start with him to clarify the circumstances of the purchase of the Yandex.S.
PS: After we looked at the Taximeter from the android market, we also looked into the application device for ordering a taxi from the same market - Yandex.Taxi . What is depressing - the situation there is very similar. It was clearly made by people far from not only security issues, but also from HighLoad programming issues.
However, this is a completely different story, you can write a separate article about it.
PPS: Recently, Yandex.Taxi introduced payment of travel by credit cards. I personally feel scared now to pay for the trip with a credit card. And you?
UPD: Yandex is notified of the problem, so here I propose to discuss the method of hacking into the Yandex.Taxi business used by the comrades from the above company. One can only express admiration for the business abilities of these people. Agree, to dissolve the largest company of the RuNet for such money without any quality check of the code being used - this is not to sell you old women vacuum cleaners ...
Yandex representatives have already noted in the comments: they say that the vulnerability is closed, software security is being audited.
And, taking this opportunity, I want to remind you that the program “ Check Badoo for Strength ” has been going on in Badoo for several years and we are paying for the vulnerabilities found.
All around are constantly talking about corruption. And I want to tell you about the case, corruption is very similar, but in the environment of pure IT business, the state is not tied to.')
The case described below is interesting precisely from the point of view of hacking a business, although the article is more devoted to hacking in the sense of IT.
I'll start with the non-technical part.
My classmate friend works in the Moscow taxi business. Works in this business for many years. Several years ago, when a major player entered the Moscow taxi market (and now a monopolist), Yandex, then my friend, of course (like all the other small and major players in this business) also joined Yandex Taxi orders.
For several years he has been working in Yandex.Taxi using the software of ROSINFOTECH LLC .
Somewhere about six months ago, Yandex acquired this company and now this software is called Yandex.Taxometer or something like that.
What is this software: this is a driver management kit (you can add / remove a car / driver), as well as accept / cancel the order.
So, I promised that I would start with the non-technical part. For several years this friend of mine has been complaining to me at personal meetings about the eternal Russian problem: “they are stealing”.
Tells that they steal drivers, orders and even, according to rumors, money from QIWI-wallets ...
I treated this somehow philosophically. Well, the person complains about life. The driver left (took him) to another company, and he thinks that it was stolen is a common story. But this weekend, he still begged me: “Ivan, yes, yes, you (as you say) are not a security specialist, but see how they can steal drivers from me? You're an IT person, after all! ”
We sat with him in a cafe with WiFi and began to look.
I’ll finish non-technical introductory by saying that, according to rumors, among the companies working with Yandex-Taxi, which also come from Rosinfoteh, Yandex acquired the above software for a billion.
Remember this number, we will need it at the end of the article .
So, the entry is over, let's move on to the technical part.
He gave me a login / password from his personal account in the control room, and I went in there.
Everything is simple there: list of drivers: add / remove / block / print. Reports, orders, etc. Climbing a bit on the pages, I noticed that almost the entire site is built on the fact that UUIDs appear in the links or queries.
By clicking on the driver, you can see that the driver's UUID appears in the information link for him.
Then it became interesting to find out three questions:
- is it possible to find out the driver's uuid of a foreign company
- is it possible, knowing this UUID, to get information about a foreign driver (actually, what my friend was complaining about)
- is it possible to get access to the orders of drivers of other companies
Having walked through the pages of my personal account, I noticed that the UUID is also assigned to companies too.
“Aha!” I thought and began to ask my friend if he knew what a UUID is and if he used it somewhere. He says: “Yes, in Yandex’s private office I pointed out the URL to the API”. “Come here,” I say, “this url.” He gives me something like this
sync.yandex.taxi.itrf.ru/drivers/<UUID> . We look at this URL and see - all drivers of my friend’s company are convenient for parsing - XML. Without authorization .It remains to learn the UUID of other companies. How to do it? As I said above, in some places on the site, a clanky Ctrl-U in the browser shows the UUID of other companies, but I was interested to get the UUID addresses of ALL companies using this software. We rummaged around the urls for about half an hour, using Ctrl-U, and found at once many ways to do this.
For example, this beautiful JSON tells us a similar list:
Please note that the list affects all regions of the country at once, not only Moscow.
Well, or similar lists are found in various selets, lists, etc. There are many such places. However, we continue further.
It became interesting to return to the driver cards and consider them closer. To do this, we chose one of the Moscow companies - we took XML with all its drivers (which, as described above, is available without authorization) and continued to experiment on it.
We took a couple of drivers from this XML, entered their UUID in a card in your account. We looked at the driver card. Ratings, when I took a taxi exam, license numbers and so on - everything is clear. Information about any driver (including someone else) is available by urla with a UUID .
It is like extended information (more than the above XML).
Probably, the developers of this software about the concepts of "authorization", "authentication" have not heard, and even more so about the difference between them.
In the same place, sitting in a cafe, I sketched a script in Python, and after 20 minutes we had a database of all Yandex.Taxi drivers in all cities (not only in Moscow) with their phones, ratings, license numbers, license numbers, account balances and other private information.
We got something like this XLS file:
So I got a physical evidence of more than two years of my friend's suspicion about driver theft.
Then it became interesting to look a little wider at this problem: the availability of these UUIDs without authorization at all. It turned out, and it is!
This software offers a fairly wide range of related services. For example, a taxi order web form on the website of the client company.
Looking (Ctrl-U) at several partner sites Yandex-taxi, how do you think I found there? Right! UUID of these companies, by which (remember) you can get all the drivers for free.
Thus, I do not exclude that any search engine (including Yandex) once will index all these private data of companies and people.
Then we looked at another resource without authorization of this company. In public access is a real-time log of all orders in Yandex-taxi. You can see who is assigned to what is happening to him, who performs, the address of filing and so forth.
Pressing Ctrl-U on this page, we see the ID of the order, the company for which it is assigned.
So we got to the bottom of ID orders of other companies on an unauthorized page (on authorized ones, they also exist, but I repeat: it was interesting to find on an unauthorized one).
Further, using the tools available in different parts of your personal account, we can not only observe, but also influence the process : for example, you can depict the cancellation of an order for someone else’s company, and send the car instead of it!
For the driver, it will look like canceling an order. For the client - as “another car arrived”.
It's just some kind of Klondike for someone who is configured for dishonest ways of doing business!
but we are not
Hence the article :)
The most interesting thing is that this is not just any one hole, but all of the software is entirely, the whole service is built on the fact that there is no ANY information protection. The product is simply a sort of database records viewer without any protection between users.
Imagine having logged in to Google, you could see all the mail of ALL Google users. Here is about such a case.
However, we will continue. The complex contains another application for android. Taking the application "Taximeter" from the android market, we quickly found out that it makes requests for unauthorized urls . And the first unauthorized http request that makes this application - guess which one?
That's right, a complete list of UUID-company name pairs!
Using URLs taken from this application, you can:
- take / cancel orders on behalf of other drivers,
- write broadcast and address messages (for example, job offers) to other drivers,
and so on.
Here I received another confirmation that not only drivers can be stolen, but also orders from these drivers.
They say that cunning people have even released a special application on this topic for intercepting Yandex.Taxi orders. It’s a pity, they just didn’t post an Android market (or did they post it? We’d have to look at the paid sections of the market).
Well, now let's think a little about the topic about which I wrote at the beginning.
Corruption or not corruption.
Yes, Yandex is a private company. The word "corruption" does not apply to it. However, an interesting question arises: here Yandex buys for a huge amount of money (billion) a software package. At the same time, judging by the above picture, NO technical audit of this software package has been performed.
What I found (an ordinary IT person) in a couple of hours of digging at a cafe, a security specialist would have found without much difficulty, but the question is: why didn't this specialist (of which Yandex have enough) not even look into this complex for a billion?
Do you think this complex was purchased using the kickback system, or not?
It seems to me that, conducting a transaction for a billion, I don’t have to allocate 10 thousand rubles for one working day of a specialist to conduct an audit ... ugh ... or conscious negligence, or just want to get rid of a billion quickly.
The explanation that this is bought using a rollback is, in my opinion, the most logical one.
An interesting question: who in Yandex made the decision to buy such a “big hole”? Probably, they should start with him to clarify the circumstances of the purchase of the Yandex.S.
PS: After we looked at the Taximeter from the android market, we also looked into the application device for ordering a taxi from the same market - Yandex.Taxi . What is depressing - the situation there is very similar. It was clearly made by people far from not only security issues, but also from HighLoad programming issues.
However, this is a completely different story, you can write a separate article about it.
PPS: Recently, Yandex.Taxi introduced payment of travel by credit cards. I personally feel scared now to pay for the trip with a credit card. And you?
UPD: Yandex is notified of the problem, so here I propose to discuss the method of hacking into the Yandex.Taxi business used by the comrades from the above company. One can only express admiration for the business abilities of these people. Agree, to dissolve the largest company of the RuNet for such money without any quality check of the code being used - this is not to sell you old women vacuum cleaners ...
Source: https://habr.com/ru/post/259559/
All Articles