Here is how he hacked Ola Cabs , India’s biggest startup.
(byShubham Paramhans and appears first in medium.com)
A few weeks ago I was working on some weekend fun project… I exactly don’t remember what that was. I was monitoring my phone traffic from a proxy server. While doing that I saw Ola API calls going from my phone (since I was booking a cab).
After
seeing those flashing binaries data going from my system I forgot my
weekend project and started tweaking and reverse engineering Ola API’s
which eventually resulted in breaking their money transaction system and
bam I was able to recharge my Ola wallet with any amount. For a long
time I was thinking about publishing this work on the web but I have
been way too busy all this time. It’s innate in humans — We all love a
story. And if you’re looking for a cool tech story, this one could be
for you.
Chapter 0 : Something is not right
I was working on a small side project in which I was monitoring my phone traffic. For this purpose I used MITM Proxy,
which is a very light console based proxy server. As I was booking my
cab I saw Ola API calls. The structuring of the API calls attracted my
attention. Something was amiss here. These calls were simple HTTP
requests without any OAuth token mechanism or any other encryption to
guard APIs. One can easily replicate these calls from a console or by
using Chrome. There are some other clients one can use like PostMan or
Advance Rest Client.
Above
is a log of request to fetch cabs for a given latitude and longitude.
This is exactly what went from my phone to their servers with a few
payloads like device-id and install-id. On refining, though, I found
most of the things present here were not even required. This goes to
show the absence of server-side validation for API calls. Below is what
you get in response, a json of cabs near your current location
Chapter 1: Digging the tunnel
After
successfully tracking and fetching cabs I was very happy because (no
offence to ola) their app sucks, as in really really bad. First of all
it crashes a lot. Secondly, I don’t like the UX. I think better things
can be done. Just take the example of Uber. Their app works so smoothly
and booking a cab is a piece of cake. Thirdly it is very difficult to
book a cab. It’s a blink and you miss situation where in microseconds a
cab vanishes.
This got me
thinking and I created a one tap app where once I’ve set my preferences,
a thread can run in the background and ensure a one-tap cab booking.
For one thing, it made my life easier while accomplishing the task of
fully automating the booking process. A few people might find this
offensive but this is the fun in weekend projects; creating small
utilities so that you can get even more lazy :p
Then
I went greedy (lazier). I thought what if I can book a cab for free?!!
That will be one mighty bad-ass thing to do. So I started to trace the
recharge API calls.
I did
one simple recharge on my phone to get an idea of what was going on.
Long story short, one recharge process in three simple steps :-
Step One : Generate an order id which will be used for reference in future,
Step Two : Make a few payment gateway calls to complete the transaction
Step Three : One more API call to Ola’s server to acknowledge the transaction, to complete the process.
After
completing the transaction I started connecting the dots to understand
their system. Believe me it was one hell of a easy maths. Simply put, it
was a very bad design because all the transaction APIs implemented by
Ola were using simple HTTP protocol and sending data in plain white
text. This was next ‘woohoo’ moment, because this motivated me to find
more loopholes and believe me Ola’s system has a lot of them.
Chapter 2: Fire in the hole
After
watching, tracing and connecting all the API calls, my console was
ready to fire the bomb. Even if I not get to book cab for free but still
I can create one app which can book a cab for me in just one single
click. To be honest, I was kind of nervous. Let’s accept it, it was
easier than I’d ever imagined and if this went right, well you can
understand.
Since college
days I’ve been making such things. Partly because I enjoyed the thrill
of the process more than the end result. It wasn’t exactly like “The
Social Network” but something similar.
Coming
back to the topic, I had my arsenal ready for attack. With a prayer on
my lips, I fired my first shot i.e. generating an order id. It went
perfect. I took aim again and below is what a cleaned request looks
like, with response from their server.
Now I have one order id that is ready for transaction, which I can use to acknowledge completion. Lock and load!
In
few seconds I received a message on my phone, confirming the recharge
and I was like YESSSSSS……..its done!!! I just cannot express what it was
like. I just fooled one of the biggest startups with millions in
funding.
Hearing me shout in
excitement, my sleeping flatmate DAERTY came running to the scene, “kya
hua be kyu itna chilla raha h, chain se sone bhi nahi deta” (why are
you shouting, you never let me sleep peacefully). I said dude watch
this. I sent the last request again, pressed enter which culminated with
my phone message tone ringing.
Note
that I didn’t even generate a new order, it was the same order id. If
you still didn’t get the joke — it means that they were not even
checking for order id, which simply means you can use the same order id
to do as many recharges with whatever amount you want, obviously not
like 100's so they get alerted (from what I’m seeing we can safely
assume they are not going to). It was hilariously traumatizing (lol).
To
summarize this, I think the problem really was in their architecture. I
mean for the love of God, you should make order id unique, isn’t it?
Ola was not even tracking order ids. Maybe money is getting to their
heads. Maybe in the process of putting more taxis on the road they lost
track of their technology. Maybe that is why their customer support
always sucks. And maybe that’s why they forgot something as basic as
this when it comes to library management. Maybe that’s why the Startup
of the Year has such a huge security vulnerability.
Below is another screenshot of my android phone showing the successful transactions.
Final chapter: The Aftermath
I
was brought up a law-abiding citizen. Ethics are embedded (so I hack
ethically). So me and my friend decided to write a mail to Ola to
tell/caution them. We definitely did not have any intention of getting
them in trouble, even if they seem to have trouble providing customer
service.
Where better to
shake them out of their slumber than ask their dreadful customer support
(that’s right, we are gentle folks). So we wrote them a mail asking in
essence — do you guys have any bug bounty program?”. If you’re enough of
a techie, you will know how Google deals with bugs. What we got in
response was a very ugly and rude response from their them. In
retrospect I’m surprised that I was surprised…
Even
after such a hurtful response from them, we replied them back saying
that it’s fine if they aren’t interested in improving their system. Two
days later, we received a mail from their customer support HEAD saying
we will get back to you on this (maybe they weren’t that bad). Now what,
now we wait…..
1,2,3….7
days i.e. one week was over and there was no response, maybe they were
busy talking to cabbies. At that time I was working with Kuliza
Technologies, Bangalore. I talked to my senior management people and
told them about this. They were very supportive and professional about
this episode. They helped me report this issue to the management of Ola
and even sent a mail to the CEO with all the details and findings of
that hack (not boasting but it was a hack)
A few days later, one of their security people replied. It went something like this
Thanks for reporting this issue to us, we will fix this and will keep you updated.
Almost
a month and a half month later, I’m still waiting for a reply or an
acknowledgement (and I naively thought it was just customer support that
sucks at Ola). Maybe this callous attitude has trickled down from the
top. The management’s attitude has definitely permeated the entire
organization it seems. I was under the impression that elephants can’t dance. It seems that calves loaded on food can’t either.
They’re
spending their millions to hire drivers who don’t even have manners to
talk to customers or to buy huge offices. I’m sure that 8 out of 10 ola
customers will complain about their service quality. Even sarkari babus
are showing up on time these days. Ola’s cabs are still highly
unpredictable. Their government office mentality is visible from this
example; last month my I forgot my Sony earphones in a cab in Delhi.
Close to 20 calls, and emails later I got a mail from their support
saying that my earphones were in their Gurgaon office and I can collect
them from there only(which is almost 40–60 km away).
Few
of you may find this post as a result of frustration. Yes it definitely
is. As a customer I’m tired of their shitty support. As a programmer
and developer it is frustrating to see their design and architecture. It
is mockery of our dependency.
In short the issues with Ola are :-
- Weak design of DB and architecture, and glaringly poor implementation on app.For example order-id is supposed to be unique but you can use same order-id to recharge your wallet again and again.
- It seems that checksum, card id etc isn’t crosschecked with MobiKwik. You can use any gibberish values in place of checksum & card-id, and the recharge will still be done successfully.
- Lack of implementation of security protocols like HTTPS or any token validation. While making money transactions, some token validation mechanism should have been implemented. At least proper server side validations should be present.
Breaching
Ola was one of the easiest kind of hacks possible, and a part of me is
disagreeing with the part that describes it as a hack.
P.S. : Since they haven’t responded well and this issue has been fixed in current version. I am posting it!
