“Gone in 60 Seconds” Using One Car Sharing as an Example
“You won’t taste the victory without disappointment” © Memphis Reims
The story began in a trite way. In some video on YouTube they talked about car sharing. With a demonstration of the "welcome" function when you cannot find a car in a large parking lot. I immediately had the idea to check - but could I activate the welcome feature on absolutely all the cars of this company ?! Well, fun. Large Russian city. And at some point, thousands of cars on command begin to honk and blink headlights. Almost like in the movie "Die Hard 4".
As a result, everything turned out much more interesting. After all, in fact, I found the opportunity to steal any car.
Inside the application, everything is standard for users. Resource loading, splash-screen and application login form.
But then my idea of manipulating all the cars crashed on stones. Recently, I do not live in Russia and you cannot enter the application without a Russian phone number. The application does not support the international format of numbers. And for some reason I did not remember about virtual numbers.
Out of desperation, I guessed to enter +7 000 0000000. And there was no limit to surprise when the next step appeared with a proposal to enter the code from sms. Another 60-second countdown started, hinting that the password has a very short lifetime. And what you need to hurry.
How so? What sms if the number cannot be real at all ?!
This situation led me to draw several conclusions:
- The application does not check the format of the phone.
- probably, the number format can be thrown by another, just intercepting the request and changing it on the fly
- the application, regardless of which phone is received, sends a command to generate a password to the user.
That is, somewhere in the database a password is waiting for us. Which was assigned to our beautiful number +7 000 0000000.
In general, this method of user authentication is called OTP (One Time Password).
That is, the password that we "assigned" should be used only once.
It seems to be a dead end. You can turn off your laptop, phone and go to bed. But the thought didn’t let me go - but what if I pick up this password? After all, we have only 10,000 possible options! The success of this venture was dubious. It was possible to catch captcha, blocking, in the end, with my selection I could provoke a single call of a “successful password”. And in OTP format, reusing this password is not allowed. What can we say about the countdown timer, which has long ended.
The right moment for this gif.
I catch the password request. I make the password a dynamic parameter. I set the range of possible values for iteration. With crossed fingers I launch an attack on the selection. In the process of such attacks, I never try to mask my actions. I do not replace ip addresses. I do not use VPN. I do not put a small number of threads. I do not need it. I have no motivation not to notice me.
After 60 seconds, the server’s response catches your eye. Successful password found.
But will it be possible to reuse it? After all, this is One Time Password.
In the application, the countdown timer has already sadly highlighted the password entry field in gray. Thus hinting that I was late.
I put the cursor in the password field. I erase the previously entered password, enter the successfully selected password and press the login button.
And here is another problem. The application says that we are some kind of “non-confirmed user”. And throws it in a couple of seconds to the main page.
Or I was not able to implement all my plans. Or my user really did not go through some kind of moderation, confirmation of documents and all that ...
In this situation, there were only two options. Or look for friends who use this service. Or look for active users who have lit up their mobile numbers on the Internet.
Well, as you know, friends at such a late time, even if I wanted to, I could not find.
That's why I went looking for users. It was the easiest. I found official car sharing community in social sites. I looked at the comments of recent publications. Opened the pages of several users. On 3 or 4 profiles of one of the users, a published mobile number was found.
I took this number and went to check the theory of hacking.
After a couple of minutes I was already wandering around the application and exploring its features. The user had a huge travel history. Several tens of thousands of bonus money that you can use for trips. Well, a few cards for payment, which were tied to the profile of this user.
Having studied the videos on youtube and reviews, it became clear that when renting a car from this user, I do not have to enter any additional combinations of numbers that protect the car from theft through a hacked account.
That is, I had an absolutely open opportunity to rent any car without presenting the required documents. At the same time, take a car and pay on behalf of a hacked user. To pay possible fines from the traffic police would have also our victim.
At this point, I just lost sleep. Of course, the fact that I got access to the user account is not correct. But thanks to this, I was able to detect a dangerous logical vulnerability.
A few seconds later I already wrote messages to the car-sharing manager and the head of the IT department. Finding them was not difficult.
People adequately responded to the situation. Without objection, I took into account all the problems that I discovered. And they started to fix it. After 1-2 weeks, the problems were resolved. I was even offered a car for free use for several days. But I preferred not to complicate my life as a strange car in a foreign city (during a business trip).
The following conclusions must be drawn from this whole story:
- Do not neglect Brute-force protection.
- Check the format of the phone number if it is used as a login.
- After a single use, OTP should not work.
- OTP life should be short, even if not used.
- Do not use a phone number as a login.
- It is better to do additional user authorization when renting a car through a PIN code (a code that the user sets when registering). The user must enter this PIN code to unlock the vehicle.
So it goes.