Busting India’s biggest Startup – OLA!!

This post originally appeared on medium.

A few weeks ago I was monitoring my phone traffic from a proxy server. While doing that I saw Ola API calls going from my phone (since I was booking a cab).

For those who don’t know about Ola, Ola Cabs is the biggest cab provider in India and also biggest competitor of Uber (again in India). It has raised $500 million in funding, and processes 150,000 bookings a day.

After seeing those flashing binary data going from my system I forgot my weekend project and started tweaking and reverse engineering Ola’s APIs which eventually resulted in breaking their money transaction system. As a result I was able to recharge my Ola wallet with any amount.

For a long time I was thinking about publishing this work on the web, but have been too busy. However, after the response I received from Ola after reporting what I’d done, I decided to publish what happened below.

Chapter 0 : Something is not right

I was working on a small side project in which I was monitoring my phone traffic. For this purpose I used MITM Proxy, which is a very light console based proxy server. As I was booking my cab I saw Ola API calls. The structuring of the API calls attracted my attention. Something was amiss here.

These calls were simple HTTP requests without any OAuth token mechanism or any other encryption to guard the APIs. One can easily replicate these calls from a console or by simply using Chrome.

Request to fetch cabs for given latitude and longitude (click on the images to enlarge)

Above is a log of request to fetch cabs for a given latitude and longitude. This is exactly what went from my phone to their servers with a few payloads like device-id and install-id. On refining, though, I found most of the things present here were not even required. This goes to show the absence of server-side validation for API calls. Below is what you get in response, a JSON of cabs near your current location.

Response JSON (Click on images to enlarge)

Chapter 1: Digging the tunnel

After successfully tracking and fetching cabs I was very happy because (no offence to ola) their app sucks. First of all it crashes a lot. Secondly, I don’t like the UX. I think better things can be done. Just take the example of Uber. Their app works so smoothly and booking a cab is a piece of cake. Thirdly it is very difficult to book a cab. It’s a blink and you miss situation where in microseconds a cab vanishes.

This got me thinking. I created a one-tap app where once I’ve set my preferences, a thread can run in the background and ensure a one-tap cab booking. For one thing, it made my life easier while accomplishing the task of fully automating the booking process.

Then I got greedy. I thought what if I can book a cab for free? That will be one mighty bad-ass thing to do. So I started to trace the recharge API calls. I did one simple recharge on my phone to get an idea of what was going on. Long story short, one recharge process in three simple steps :-

Step One : Generate an order ID which will be used for reference in future

Step Two : Make a few payment gateway calls to complete the transaction

Step Three : One more API call to Ola’s server to acknowledge the transaction, to complete the process.

After completing the transaction I started connecting the dots to understand their system. Believe me when I said it was easy. Simply put, all the transaction APIs implemented by Ola were using simple HTTP protocol and sending data in plain white text. This got me thinking, what other loopholes does Ola have?

Chapter 2: Fire in the hole

After watching, tracing and connecting all the API calls, my console was ready to drop the bomb. Even if I didn’t get a free cab  I can create an app which can book a cab for me in a single click. To be honest, I was kind of nervous. Let’s accept it, it was easier than I’d ever imagined and if this went right, it had terrible consequences.

With a prayer on my lips, I fired my first shot i.e. generating an order ID. It went perfect. I took aim again and below is what a cleaned request looks like, with response from their server.

Generating one order to recharge my wallet (Click on image to enlarge)

Now I have one order ID that is ready for transaction, which I can use to acknowledge completion. Lock and load!

Final api call to recharge my wallet (click on image to enlarge)

In a few seconds I received a message on my phone, confirming the recharge and I was like YESSSSSS……..it’s done!!! I just cannot express what it was like. I just fooled one of the biggest startups with millions in funding.

Note that I didn’t even generate a new order, it was the same order ID. If you still didn’t get the joke — it means that they were not even checking for order ID, which simply means you can use the same order ID to do as many recharges with whatever amount you want, obviously not like 100’s so they get alerted (from what I’m seeing we can safely assume they are not going to).

To summarize this, I think the problem really was in their architecture. I mean for the love of God, you should make order ID unique, shouldn’t you? Ola was not even tracking order IDs. Maybe money is getting to their heads. Maybe in the process of putting more taxis on the road they lost track of their technology.

Maybe that is why their customer support always sucks. And maybe that’s why they forgot something as basic as this when it comes to library management. Maybe that’s why the Startup of the Year has such a huge security vulnerability.

Below is another screenshot of my android phone showing the successful transactions. (Click on image to enlarge)

Final chapter: The Aftermath

I was brought up a law-abiding citizen. Ethics are embedded (so I hack ethically). So me and my friend decided to write a mail to Ola to tell/caution them. We definitely did not have any intention of getting them in trouble, even if they seem to have trouble providing customer service.

Where better to shake them out of their slumber than ask their dreadful customer support (that’s right, we are gentle folks). So we wrote them a mail asking in essence — do you guys have any bug bounty program?”. If you’re enough of a techie, you will know how Google deals with bugs. What we got in response was a very ugly and rude response from their them. In retrospect I’m surprised that I was surprised…

Even after such a hurtful response from them, we replied them back saying that it’s fine if they aren’t interested in improving their system. Two days later, we received a mail from their customer support HEAD saying we will get back to you on this (maybe they weren’t that bad). Now what, now we wait…

1,2,3….7 days i.e. one week was over and there was no response, maybe they were busy talking to cabbies. At that time I was working with Kuliza Technologies, Bangalore. I talked to my senior management people and told them about this.

They were very supportive and professional about this episode. They helped me report this issue to the management of Ola and even sent a mail to the CEO with all the details and findings of that hack (not boasting but it was a hack):

A few days later, one of their security people replied. It went something like this

Thanks for reporting this issue to us, we will fix this and will keep you updated.

Almost a month and a half month later, I’m still waiting for a reply or an acknowledgement (and I naively thought it was just customer support that sucks at Ola). Maybe this callous attitude has trickled down from the top. The management’s attitude has definitely permeated the entire organization it seems. I was under the impression that elephants can’t dance. It seems that calves loaded on food can’t either.

They’re spending their millions to hire drivers who don’t even have manners to talk to customers or to buy huge offices. I’m sure that 8 out of 10 Ola customers will complain about their service quality. Even sarkari babus are showing up on time these days.

Ola’s cabs are still highly unpredictable. Their government office mentality is visible from this example; last month my I forgot my Sony earphones in a cab in Delhi. Close to 20 calls, and emails later I got a mail from their support saying that my earphones were in their Gurgaon office and I can collect them from there only(which is almost 40–60 km away).

 A need for change

Few of you may find this post as a result of frustration with the company. As a customer I’m tired of their shitty support. As a programmer and developer it is frustrating to see their design and architecture. It is mockery of our dependency.

In short the issues with Ola are :-

1. Weak design of DB and architecture, and glaringly poor implementation on app. For example order-ID is supposed to be unique but you can use same order-ID to recharge your wallet again and again.
2. It seems that checksum, card id etc isn’t crosschecked with MobiKwik. You can use any gibberish values in place of checksum & card-id, and the recharge will still be done successfully.
3. Lack of implementation of security protocols like HTTPS or any token validation. While making money transactions, some token validation mechanism should have been implemented. At least proper server side validations should be present.

Breaching Ola was one of the easiest kind of hacks possible, and a part of me is disagreeing with even calling it a hack, easy as it was.

Hack this site!

Now this is something really cool.  I found it while randomly surfing the net. Here’s a site where hackers can test their hacking skills.

http://www.hackthissite.org

This is safe and legal.!!  It provides a series of hacking challenges, articles, resources, and discussion of the latest happenings in hacker culture. There are a number of  missions here, each demonstrating a different kind of skill. You just have to go through their disclaimer policy and create an account to start with, and its free. So, all those budding hackers out there, here’s an opportunity to polish out your skills. Explore it. Wish you all the luck.!!

(Subscribe for more interesting information)
Thanks,

♝ ashyblogger ♝

Opening Blocked Websites

What is a Proxy Site?

What is a proxy site is a question that can best be answered by taking a look at what proxy servers are. In computer mumbo jumbo, proxy servers are programs or systems that function as the intermediary application for processing requests from clients who are looking for resources stored in other servers in a vast network such as the Internet. When accessing websites or simply surfing the Net, the client (that’s you) computer connects to the proxy server which in turn requests other appropriate servers for connection, files, and other types of resources and services. But it must be emphasized that a proxy server is not an ordinary go-between for different servers in the network. As a matter of fact, this computer system can be programmed to evaluate and filter out unwanted sites and other online applications.

The proxy server’s ability to sift through cyberspace and deny access to certain websites gives rise to what is a proxy site. Well, a proxy site is a website that allows Internet users to get around proxy servers, thus allowing access even to websites or online services that would have been otherwise filtered out by a proxy server. With a proxy site, a Net user simply has to type in a website’s URL and enjoy unrestricted online browsing. A proxy website prevents a user’s IP address from being recorded. Thus, it can hide the true identity of the user.

Here’s a list of top proxy sites, that can give you easy and safe access to blocked websites :-

1. http://premium4all.net/
2. http://proxyfx.com/
3. http://how-to-unblock-websites.com/
4. http://cookieshield.tk
5. http://undershots.tk
6. http://nolimit1.com
7. http://www.unblockersproxy.in/
8. http://www.sitefoo.info
9. http://www.veryfastproxy.in/
10. http://unblockschoolcomputers.net/
11. http://www.0383.org
12. http://freeproxysite9.info/
13. http://stopsme.com/
14. http://surfmy.org/
15. http://prooxy.net/
16. http://www.gizlen.net/
17. http://ipchanged.com
18. http://kingproxy.net/
19. http://hidemybody.com
20. http://www.freeproxysurfing.in/

Hacker-Proof your Phone

Your Phone’s Biggest Security Risk

Do you have a hot pic of your girlfriend on your phone? What would she do to you if it ended up on the Internet? This risk is greater than you might think—especially if you own an Android—according to research from North Carolina State University.

Certain Android phones like the EVO 4G and HTC Legend have preset apps that allow access to personal information or exposed phone features without requesting necessary permissions for the actual use, the researchers discovered. The apps are built on top of Google’s baseline Android software and are often used to notify users if they have missed a call or received a text message, explains Xuxian Jiang, Ph.D., an assistant professor of computer science at North Carolina State.

The problem: Hackers then access these backdoor apps and record phone calls, send text messages, and see personal information you send.

Jiang’s team told all of the manufacturers about the risk as soon as they discovered it. But that doesn’t mean you’re entirely safe. A 2011 Juniper Networks Global Threat Center study found in May that malware attacks were up 400 percent since the summer of 2010.

Michael Gregg, cyber expert with Superior Solutions Inc., offers these tips on how to keep the information on your phone secure.

· Turn off apps and services you aren’t using. Hackers wait in WiFi hot spots and look for open apps like a GPS tracker to link into your phone. They gain access to the apps and browsers you use, take information from your personal email, and can even steal your identity.

· Make a great password. The best practice is to use a passphrase. To start, think of a phrase and then turn it into a complex password. As an example, “rock and roll forever” becomes “Rock&roll4ever.” It’s upper case, lower case, special character, and numeric. And as it’s a phrase its much harder for an attacker to guess but easy for the user to remember.

· Encrypt sensitive data. Most BlackBerry, iPhone and Android smartphones have built-in encryption software. For more advanced security a third party like Whisper Systems has downloadable software to make sure that even if someone gets your files, they can’t read them. Do it for any files containing personal information like your address, birthday, or anything that you wouldn’t want anyone else knowing.

· Lock others out of your phone. Apps like The Perfect App Protector (free for Android), Smart Lock ($1.80 for Android), Lock Apps ($2.99 for BlackBerry) and Pic Lock 2.0 (free for iPhone) keep your photos, videos, and files safe by closing them to backdoor applications. Just ask the RNC: A reporter bought a BlackBerry formerly used by a Republican, which just happened to have Gov. Schwarzenegger’s personal cell phone. We’re sure the Governator wasn’t a big fan of the crank calls.

· Be wary of “SMishing”. Hackers have gotten creative and will send texts appearing to be from your bank. Only use official bank websites or apps, and if something looks suspicious always call your bank to verify the sender.

· Install anti-virus software. Many smartphones are now more advanced than computers. Jiang recommends the free NetQin Mobile Security software to all of his friends with Android and BlackBerry phones. For iPhone check out VirusBarrier iOS $2.99.

· Catch the thief yourself. There are two types of apps that are great for getting your phone back if ever stolen. Gregg recommends getting both.

-GPS tracker. If your phone is ever stolen, an app like TekTrak Pro ($4.99 for Android), Mobile Defense (free for Android), Find My Phone ($2.99 for BlackBerry) will show your phone’s current coordinates. The iCloud allows users to track their phone’s coordinates but the free Find my iPhone guarantees people cannot turn off the cloud system.

-The Gotya! Face Trap! App for Android $1.99. This app takes a picture whenever your screen lock is entered incorrectly. After taking the picture, it acquires the location of your device and forms a Google maps link, sending it with the time stamped picture to your email/Facebook helping you and the police track him down.

(courtesy- menshealth.com)