Mining food or "Crossroads" through the eyes of a hacker

Introduction

Good day, friends. Who read my previous articles, should understand that this will be another exciting hacking. Here are just hack we will shop for food. I have to say that this is not just hacking. We will not use holes in the code system. We will take this system and just look at it from the other side. In other words: "the eyes of a hacker."

The Perekrestok supermarket positions itself as an online grocery store. Perhaps it is very clever and convenient in our time, when you can order food, sitting at home on the couch. But it all looks too smooth to become a reality. Everywhere there are downsides, some flaws, and, putting them together, we get a huge hole in the system ...

Preparatory part

As with any chain of stores, the Crossroads has its own plastic cards that any buyer can buy for a twenty wooden one. Points will be added to this card from each purchase. The more you buy, the more points you earn. When a sufficient number of points accumulate, you can purchase any products at the expense of these points (except cigarettes and alcohol). Exchange rate: 10 points = 1 ruble. We come to the point. Crossroads has a website. According to the Perekrestok system, you have to buy a card and register it on the website in order to get access to your personal account and make purchases online, follow operations and so on. But what do you get at the checkout? A plastic card with a 16-digit number that is already active. Therefore, many users do not even know about the existence of this site.
')
Now let's go to the card registration page. It looks like this:



Okay Enter the card number, then what?



Wow. We introduce the number, then what?


(not full screenshot)

We enter the personal account to which this card is attached. Now she is completely under our control. That is, we can install the official application on the drone / apple and generate a bar code with which you can pay at the checkout.

But! Wait a minute But what if we enter the number not of our card, but our telephone number? Trolling will happen, friends. Someone else’s card will link to your number! Applaud Crossroads!

Technical part

Well, we can take the number of any card (from now on, the intersection will be from a small letter) of the intersection, register it with your number.

It is important to know that as many as 5 cards can be registered to 1 number (store rule). And all points from these 5 cards are summed up into one. It is important to know that the card number consists of 16 digits. Take, for example, the number 7790 9977 0000 0000. Let this card be yours. How to find others? The system is next! add +8 to this number. This is the card number of another person. But it is important to know that in the top ten there can not be more than 1 card! In this case, you should add +10 to go a dozen higher.

So. you have a 7790 9977 0000 0000 card. Next: 7790 9977 0000 0008 (+8).
But in one ten there can not be 2 cards, it means +10 more. Outcome: 7790 9977 0000 0018 (+10)
Next +8: 7790 9977 0000 0026 (+8)

And so on. But with the onset of fifty, the counter is reset and you need to select the current number manually. It's simple - enter the card number from * 1 to * 9 until the site prompts us to enter a phone number.

With this sorted out. Farther!

Hacker part

Immediately to the point. Expose on the website "Moscow and the Moscow region", or "Peter".



This will allow us to get access to the LK online store. By registering and logging into the office, we will go to the tab "add card".



This very convenient crossroads tool made specifically for a hacker. Here we can check the card number for validity. We insert the number and the intersection through json gives us "true or false". Well, you understand. You can even write brutus. I had about 1000 valid cards per hour.

Next - we have to register all these cards to phone numbers, enter the office, check the balance and, if everything suits you, then enter the mobile application under this card, go to the store, buy a meat with milk and eat deliciously at someone's expense .

Of course, this is not necessary, but we only state the fact of what may happen. Perhaps, and already happening.

Consequences

Everything is good, but if I have one phone, one SIM card. How can I register other cards? The answer is simple. We are going to a paid service where we can buy numbers for which we will receive SMS with a confirmation code. There are quite a few such services. 1 room, in general, costs 2-4 rubles. A balance on the cards can exceed 10,000 points - more than 1 thousand rubles. So, it is advisable.

I repeat, this is not a call for burglary. It’s like a “bank robbery instruction.” Of course, no one will rush in and rob a bank, but those who do this will answer before the law.

findings

Experimentally, about 500 cards were “folded”. Balance ranged from 50 to 1500 p.
It was also experimentally tested in practice. There was a trip to the store where the purchase was made on someone else's card. (The alien card belonged to my friend, who was aware of, but I only knew the card number, which later was registered to my virtual number and assigned to me). I will enclose the check:



Thus, a day you can do about 2-3 thousand rubles, sitting at home and sipping tea, biting a sandwich with sausage, eating yogurt, drinking coke and so on.

All at the expense of supermarket users! Or at the expense of the supermarket. There is a controversial question here, but the reputation of this store is clearly spoiled.

There have been attempts to contact customer support. I sent letters 2 weeks. In the subject line of the letter put "very important, you are hacked." Strange, but there was no answer. Perhaps not taken seriously. Anyway. All that is described above is not so serious. Just rob customers, spend their money and feed their family.

And this is all for now. The article is not complete - the technical aspects were hidden in order to avoid mass hacking.