Did you ever thought about traveling around without a single penny? YES? We just did it
Due to low attention over securing of an online system, local companies may dont know but they are compromised and hackers are enjoying the fruit on back end. This is the most modern attack vector now a days, keep digging and dont let the authorities nor make it public.
SecurityWall team tends to secure Pakistan cyber space and secure our local applications online existence, We have helped many local brands but this story is just to aware local audience and local developers about how an application which seems secure isn’t secure from every end.
Hisham Mir and Babar were traveling for GSEA competition via Local transport famous in Pakistan known as Daewoo.
Hisham tried to test the security of the system while booking the ticket. He manage to find the flaw in their payment (API) on website as well as android applications. The un-noticeable flaw allows anyone to book a FREE ticket and travel across the country as the ticket shows that the traveler paid full amount while it wasn’t paid.
Daewoo Pak Motors (Pvt.) Ltd is a subsidiary of Daewoo Bus Global Corporation of Korea known for its luxury bus service all over Pakistan with thousands of people traveling per day however when it comes to securing its servers it looks like the company does not give an inch.
The Process
We bought a PKR 500 (5 USD) ticket from Peshawar to Rawalpindi in just PKR 100 and repeated the same step again for Hisham from Sialkot to Islamabad but this time we bought ticket for just 50 (0.5 USD) after a few days to confirm if the bug still exists.
We managed to print tickets and we traveled to our destinations, upon arrivals we visited travel manager and paid the remaining fee but they didnt got our point as they thought this is some issue in System end so it is okay.
The worst part was they didn’t event thought to ask how?when?why? they simply said okay Thanks !
So at end we conclude that we can travel for free as well. Yes we managed to travel on PKR 0 (0USD) from any terminal to any destination, all for FREE !
We contacted the CIO of Daewoo to explain about the vulnerability in the API of their payment system on both web and mobile version of the websites, initially they were much interested and appreciated our approach and Daewoo also promised to disclose it with some cash reward which was just to pay the worth of this vulnerability, but when Daewoo CIO patched the vulnerability and asked us to test we did again upon official request this time and we experienced that bug was fixed.
CIO fixed date to send the bounty in reward of reporting this critical vulnerability in API but till date CIO is underground and totally gone, we were not looking for money as we are good with our own services and individual work but as CIO promised so we were happy that a local brand have some good thinking approach and they knows how team ethically reported this issue and how this vulnerability means to Daewoo and can effect badly on Daewoo Financially, but they proved us wrong.
Note: This post is disclosed as we talked to Daewoo Officials about disclosing it for awareness after the bug was fixed ! and our intentions were just to report them which we did and Daewoo fixed it!
This post is just to aware brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to report and we did it to Daewoo, and this is not our first time to report critical issues. We have reported many vulnerabilities in top brands where they have appreciated our ethical approach and now we are into pentesting their apps, a good approach isn’t it?.
Oh i forgot to mention we stood as 2nd Runners Up in GSEA all over Pakistan, an event due to which this all happened.