A few weeks ago I was monitoring my phone
traffic from a proxy server. While doing that I saw Ola API calls going
from my phone (since I was booking a cab).
For those who don’t know about Ola, Ola Cabs
is the biggest cab provider in India and also biggest competitor of
Uber (again in India). It has raised $500 million in funding, and
processes 150,000 bookings a day.
After seeing those flashing binary data
going from my system I forgot my weekend project and started tweaking
and reverse engineering Ola’s APIs which eventually resulted in breaking
their money transaction system. As a result I was able to recharge my
Ola wallet with any amount.
For a long time I was thinking about publishing this
work on the web, but have been too busy. However, after the response I
received from Ola after reporting what I’d done, I decided to publish
what happened below.
Chapter 0 : Something is not right
I was working on a small side project in which I was monitoring my phone traffic. For this purpose I used MITM Proxy,
which is a very light console based proxy server. As I was booking my
cab I saw Ola API calls. The structuring of the API calls attracted my
attention. Something was amiss here.
These calls were simple HTTP requests without any
OAuth token mechanism or any other encryption to guard the APIs. One can
easily replicate these calls from a console or by simply using Chrome.
Request to fetch cabs for given latitude and longitude.
Above is a log of request to fetch cabs for
a given latitude and longitude. This is exactly what went from my phone
to their servers with a few payloads like device-id and install-id. On
refining, though, I found most of the things present here were not even
required. This goes to show the absence of server-side validation for
API calls. Below is what you get in response, a JSON of cabs near your
current location.
Response JSON
Chapter 1: Digging the tunnel
After successfully tracking and fetching
cabs I was very happy because (no offence to ola) their app sucks. First
of all it crashes a lot. Secondly, I don’t like the UX. I think better
things can be done. Just take the example of Uber. Their app works so
smoothly and booking a cab is a piece of cake. Thirdly it is very
difficult to book a cab. It’s a blink and you miss situation where in
microseconds a cab vanishes.
This got me thinking. I created a one-tap
app where once I’ve set my preferences, a thread can run in the
background and ensure a one-tap cab booking. For one thing, it made my
life easier while accomplishing the task of fully automating the booking
process.
Then I got greedy. I thought what if I can
book a cab for free? That will be one mighty bad-ass thing to do. So I
started to trace the recharge API calls. I did one simple recharge on my
phone to get an idea of what was going on. Long story short, one
recharge process in three simple steps :-
Step One : Generate an order ID which will be used for reference in future
Step Two : Make a few payment gateway calls to complete the transaction
Step Three : One more API call to Ola’s server to acknowledge the transaction, to complete the process.
After completing the transaction I started
connecting the dots to understand their system. Believe me when I said
it was easy. Simply put, all the transaction APIs implemented by Ola
were using simple HTTP protocol and sending data in plain white text.
This got me thinking, what other loopholes does Ola have?
Chapter 2: Fire in the hole
After watching, tracing and connecting all
the API calls, my console was ready to drop the bomb. Even if I didn’t
get a free cab I can create an app which can book a cab for me in
a single click. To be honest, I was kind of nervous. Let’s accept it, it
was easier than I’d ever imagined and if this went right, it had
terrible consequences.
With a prayer on my lips, I fired my first
shot i.e. generating an order ID. It went perfect. I took aim again and
below is what a cleaned request looks like, with response from their
server.
Generating one order to recharge my wallet
Now I have one order ID that is ready for transaction, which I can use to acknowledge completion. Lock and load!
Final api call to recharge my wallet
In a few seconds I received a message on my
phone, confirming the recharge and I was like YESSSSSS……..it’s done!!! I
just cannot express what it was like. I just fooled one of the biggest
startups with millions in funding.
Note that I didn’t even generate a new
order, it was the same order ID. If you still didn’t get the joke — it
means that they were not even checking for order ID, which simply means
you can use the same order ID to do as many recharges with whatever
amount you want, obviously not like 100’s so they get alerted (from what
I’m seeing we can safely assume they are not going to).
To summarize this, I think the problem
really was in their architecture. I mean for the love of God, you should
make order ID unique, shouldn’t you? Ola was not even tracking order
IDs. Maybe money is getting to their heads. Maybe in the process of
putting more taxis on the road they lost track of their technology.
Maybe that is why their customer support always
sucks. And maybe that’s why they forgot something as basic as this when
it comes to library management. Maybe that’s why the Startup of the Year
has such a huge security vulnerability.
Below is another screenshot of my android phone showing the successful transactions.
Final chapter: The Aftermath
I was brought up a law-abiding citizen.
Ethics are embedded (so I hack ethically). So me and my friend decided
to write a mail to Ola to tell/caution them. We definitely did not have
any intention of getting them in trouble, even if they seem to have
trouble providing customer service.
Where better to shake them out of their
slumber than ask their dreadful customer support (that’s right, we are
gentle folks). So we wrote them a mail asking in essence — do you guys
have any bug bounty program?”. If you’re enough of a techie, you will
know how Google deals with bugs. What we got in response was a very ugly
and rude response from their them. In retrospect I’m surprised that I
was surprised…
Even after such a hurtful response from
them, we replied them back saying that it’s fine if they aren’t
interested in improving their system. Two days later, we received a mail
from their customer support HEAD saying we will get back to you on this
(maybe they weren’t that bad). Now what, now we wait…
1,2,3….7 days i.e. one week was over and
there was no response, maybe they were busy talking to cabbies. At that
time I was working with Kuliza Technologies, Bangalore. I talked to my
senior management people and told them about this.
They were very supportive and professional about this
episode. They helped me report this issue to the management of Ola and
even sent a mail to the CEO with all the details and findings of that
hack (not boasting but it was a hack):
A few days later, one of their security people replied. It went something like this
Thanks for reporting this issue to us, we will fix this and will keep you updated.
Almost a month and a half
month later, I’m still waiting for a reply or an acknowledgement (and I
naively thought it was just customer support that sucks at Ola). Maybe
this callous attitude has trickled down from the top. The management’s
attitude has definitely permeated the entire organization it seems. I
was under the impression that elephants can’t dance. It seems that
calves loaded on food can’t either.
They’re spending their millions to hire
drivers who don’t even have manners to talk to customers or to buy huge
offices. I’m sure that 8 out of 10 Ola customers will complain about
their service quality. Even sarkari babus are showing up on time these
days.
Ola’s cabs are still highly unpredictable. Their
government office mentality is visible from this example; last month my I
forgot my Sony earphones in a cab in Delhi. Close to 20 calls, and
emails later I got a mail from their support saying that my earphones
were in their Gurgaon office and I can collect them from there
only(which is almost 40–60 km away).
A need for change
Few of you may find this post as a result
of frustration with the company. As a customer I’m tired of their shitty
support. As a programmer and developer it is frustrating to see their
design and architecture. It is mockery of our dependency.
In short the issues with Ola are :-
- Weak design of DB and architecture, and glaringly poor implementation on app. For example order-ID is supposed to be unique but you can use same order-ID to recharge your wallet again and again.
- It seems that checksum, card id etc isn’t crosschecked with MobiKwik. You can use any gibberish values in place of checksum & card-id, and the recharge will still be done successfully.
- Lack of implementation of security protocols like HTTPS or any token validation. While making money transactions, some token validation mechanism should have been implemented. At least proper server side validations should be present.
Breaching Ola was one of the easiest kind
of hacks possible, and a part of me is disagreeing with even calling it a
hack, easy as it was.
