“Steal in 60 seconds” using one car sharing example

“Without disappointment you will not feel the taste of victory” © Memphis Reims

The story began trite. In some video on YouTube they told about car sharing. With the demonstration of the function "greetings" when you can not find a car in a large parking lot. I immediately had the idea to check - and if I can not activate the function of greeting on absolutely all the cars of this company? Well, fun. Large Russian city. And at some point, thousands of cars on command begin to signal and blink headlights. Almost like in the movie "Die Hard 4".

As a result, everything turned out much more interesting. After all, in fact, I found the possibility of theft of any car.

Inside the application for users, everything is standard. Downloading resources, splash-screen and application login form.
')
But then my idea of ​​manipulating all the cars crashed against the stones. Recently, I do not live in Russia and the application can not enter without a Russian phone number. The application does not support international number format. And for some reason I didn’t remember about virtual numbers.

In desperation, I guessed to enter +7 000 0000000. And there was no limit to surprise when the next step appeared with a proposal to enter the code from sms. Another 60 second countdown started, hinting that the password is very short. And what you need to hurry.



How so? What sms if the number can not be real at all?

This situation led me to draw several conclusions:

• The application does not check the format of the phone.
• Probably, the format of the number can be thrown by another, just by intercepting the request and changing it on the fly
• the application, regardless of which phone is received, sends a command to generate a password to the user.

Ie somewhere in the database waiting for us a password. Which was assigned to our beautiful number +7 000 0000000.

In general, this user authentication method is called OTP (One Time Password).
Ie, the password that was “assigned” to us should be used only once.

It seems to be a dead end. You can turn off the laptop, phone and go to bed. But the thought did not let me go - what if I picked up this password? After all, we have only 10,000 possible options! The success of this venture was dubious. It was possible to catch the captcha, blocking, in the end, with my choice I could provoke a single call to the “successful password”. And in the OTP format, reuse of this password is not allowed. What can we say about the countdown timer, which has long ended.

The right moment for this gif.



I catch a password request. I make the password a dynamic parameter. I set the range of possible values ​​for enumeration. With crossed fingers, I launch an attack on the pick. In the process of such attacks, I never try to disguise my actions. I do not replace the ip address. I do not use VPN. I do not put a small number of threads. I do not need it. I have no motivation not to notice me.

After 60 seconds, the server’s response is visible. Successful password found.

But will it be reused? After all, this is One Time Password.

In the application, the countdown timer already sadly highlighted the password entry field in gray. Alluding to the fact that I was late.



I put the cursor in the field with a password. I erase the previously entered one, enter the successfully selected password and press the login button.

And here is another problem. The application says that we are some kind of "not confirmed user". And throws in a couple of seconds on the main page.

Or I could not realize all our plans. Or my user really did not pass any moderation, document confirmation and all that ...

In this situation, there were only two options. Or look for friends who use this service. Or search for active users who have lit up their mobile numbers on the Internet.

Well, as you understand friends at such a late time, I would not even find it if I wanted to.
That's why I went to look for users. It was the easiest. In social networks found the official car sharing community. Looked at the comments of the latest publications. Opened the pages of several users. On 3 or 4 profiles of one of the users managed to find a published mobile number.



I took this number and went to check the theory of hacking.

A few minutes later I was wandering through the application and studied its possibilities. The user had a huge travel history. Several tens of thousands of bonus money that can be used for travel. Well, a few cards for payment, which were tied to the profile of this user.



Having studied videos on YouTube and reviews, it became clear that when renting a car from this user, I would not have to enter any additional combination of numbers protecting the car from theft through a hacked account.

Ie I had an absolutely open opportunity to rent any car without presenting the required documents. At the same time take the car and pay on behalf of the hacked user. Pay for possible fines from the traffic police would have the same way our victim.



At this point, I just lost sleep. Of course, the fact that I got access to a user account is not correct. But because of this, I was able to detect dangerous logical vulnerabilities.

A few seconds later I wrote posts to the carsharing manager and the head of the IT department. Find them was not difficult.

People responded adequately to the situation. Without objection, I took into account all the problems that I discovered. And started to correct. After 1-2 weeks the problems were resolved. I was even offered a car for free use for several days. But I preferred not to complicate my life for someone else's car in a foreign city (during a business trip).

From this whole story you need to draw the following conclusions:

• Do not neglect the protection from Brute-force.
• Check the format of the phone number if it is used as a login.
• After using a single OTP should not work.
• The life span of an OTP should be short, even if it is not used.
• You should not use a phone number as a login.
• It is better to do additional user authorization when renting a car through a PIN code (the code that the user himself sets during registration). The user must enter this PIN code in order to unlock the vehicle.

So it goes.