Ola Cabs Privacy Security Issue discovered by AppWatch

. 4 min read

Hello Everyone,

At Attify, we have been working on months now to come up with AppWatch , the best mobile security assessment platform to help developers, penetration testers, managers and even* CISOs* for the enterprise mobile security.

We launched an early community version of AppWatch 4 months back, and got some really great response from the developer and security community. Thanks everyone for helping us improve AppWatch and making it more relevant to your needs.

We are currently working actively to come up with the next version of AppWatch, and evolving it from a tool to a complete mobile security platform for enterprises.

This blog post will discuss one of the vulnerabilities we discovered with AppWatch in Ola Cabs (a major competitor to Uber), the most popular cab ride service in India.

The vulnerability lies in one of their APIs, revealed during the application usage. (Sorry, we are not allowed to reveal the exact technical details of the vulnerability).

So, in order to identify the vulnerability, a pentester would :

  • Need to install and run the application
  • Set up proxy on his host system
  • Configure proxy in the Android device
  • Look into each and every requests to find the vulnerability

This process typically takes 3-4 hours of work for a skilled pentester.

With AppWatch, you can find the vulnerability, as well as create a POC in less than 5 mins. That’s how powerful and easy to use AppWatch is.

The first step is to login to your AppWatch portal. Since, Google Play support is already integrated in AppWatch, you just need to search for Ola Cabs in the search box.

[![AppWatch - The best mobile security platform](https://blog.attify.com/content/images/2015/02/attify-login-screen.png)](https://blog.attify.com/content/images/2015/02/attify-login-screen.png)AppWatch Login Screen
Once you start analysis, it will automatically create a new instance for you (we love [Dockers](https://www.docker.com/)), where it will install and run the application. You will have a screen looking something similar to the one shown below.
[![Analysing Ola Cabs in AppWatch ](https://blog.attify.com/content/images/2015/02/screenshot-with-no-network-traffic.png)](https://blog.attify.com/content/images/2015/02/screenshot-with-no-network-traffic.png)Analysing Ola Cabs in AppWatch
You can use the application normally, and AppWatch will show you the **real time application’s network traffic**. AppWatch is an **intelligent platform**, with which it automatically** identifies APIs which could be vulnerable**. As soon the app does something which AppWatch identifies to be vulnerable, it simply displays a *vulnerable* tag along with the request.
[![AppWatch identifying vulnerable APIs ](https://blog.attify.com/content/images/2015/02/vulnerable-tag.png)](https://blog.attify.com/content/images/2015/02/vulnerable-tag.png)AppWatch identifying vulnerable APIs
You can now click on the **request** to have it expanded to show you both the request and response with all the parameters and headers, which you can modify and replay from the same window. [*Isn’t it awesome*](https://appwatch.io)?
[![Editing live requests in AppWatch](https://blog.attify.com/content/images/2015/02/editing-live-requests.png)](https://blog.attify.com/content/images/2015/02/editing-live-requests.png)Editing live requests in AppWatch
Once you hit replay, and see that it’s really vulnerable, you can easily create a POC by clicking on the **Create POC** button in the replayed request. AppWatch automatically identifies what kind of vulnerability it is, and shows you corresponding POC creation parameters.
[![Automated POC creation in AppWatch](https://blog.attify.com/content/images/2015/02/creating-poc.png)](https://blog.attify.com/content/images/2015/02/creating-poc.png)Automated POC creation in AppWatch
You can now configure the parameters, and click on** Create POC** to have AppWatch generate the complete vulnerability POC for you. You’ll see the URL of the newly created POC there itself. Depending on the vulnerability found, the POC generated will be different, and you can even customize the complete POC according to your needs.
[![POC Creation complete](https://blog.attify.com/content/images/2015/02/poc-created.png)](https://blog.attify.com/content/images/2015/02/poc-created.png)POC Creation complete
Once the POC has been generated, you can go to the POC link, and it looks something like this as shown below.
[![Ola Cabs Security Issue POC Website](https://blog.attify.com/content/images/2015/02/Screen-Shot-2015-02-02-at-4.28.21-AM.png)](https://blog.attify.com/content/images/2015/02/Screen-Shot-2015-02-02-at-4.28.21-AM.png)Ola Cabs Security Issue POC Website
The vulnerability reveals the complete user details of any user, how much he has travelled, his recent travel bookings, Wallet details including the credit, amount credited and debited, previous booking reference numbers and much more – all with just the user’s email id.

Below is a video demo of the vulnerability mentioned in the blog post.

Thanks for going through the blog post. If you are excited about AppWatch and want to try it out for free, as soon as it launches in March 2015, sign up at https://appwatch.io . Also, just AAMOF, we recently also found a vulnerability in one of the apps by Twitter, using AppWatch (in less than 5 mins) which landed us a bounty of $980. 🙂

Please direct all mails regarding the blog post to secure [at] attify [dot] com . If you want to share this on twitter, please mention us at @attifyme .

Also, if you’re from India, Attify team will be present at an upcoming event Nullcon in Goa from Feb 5th-7th, and in StartupGrind at Redmond City, CA, US from Feb 9th-11th. Also, if you’re from the Bay area, feel free to drop a mail in case you want to discuss about your enterprise security issues and how Attify can help you solve them.

We appreciate the responsible disclosure policy by Ola Cabs, and we made the post public only when the vulnerability was completely patched. The ultimate goal is to support the startups who are helping us everyday, like Ola, and not to harm their reputation.

Here’s a quick timeline :

Vulnerability Disclosed to Ola : Feb 1st, 2015
Vulnerability Patched : Feb 3rd,2015 (Amazingly fast response by Ola Security Team)
Blog Published  (Made public) : March 23rd, 2015

It’s really good to see Indian startups like Ola focussing so much in security, and patching the reported vulnerabilities in less than 48 hours time. We love working with companies, their security team and developers and making their applications secure.

Contact us to get the security assessment of your application done or to get AppWatch for your organisation.

A list of services Attify currently provides –

[![Attify Mobile and IoT Security ](https://blog.attify.com/content/images/2015/02/attify-services.png)](https://blog.attify.com/content/images/2015/02/attify-services.png)Attify Mobile and IoT Security
Signing off.

Attify Team
(@attifyme)



Attify Team

IoT Security and Penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram