With a couple of hours to spare earlier this year at a French underground event for hackers, security researcher Baptiste Robert opted for a cup of coffee from a vending machine.
And a couple of hours was just enough time to get it – hacker style.
When he saw he could pay by mobile phone via an accompanying app for Android or iOS called CoffeecApp, Baptiste revealed an easy way that unethical hackers could steal other users’ accounts and make automated purchases at their expense.
Robert decided to look at the type of information the app exchanged with the vendor’s server. He started by creating an account and checking the data moving back and forth, which included a user ID, the phone number acting as a username.
Resetting the login password showed a value for a new parameter called “UserUId,” which was the same as the user ID. This piqued his interest enough to create a second account and initiate a reset procedure by supplying the “UserUId” value of the first account. The attempt was a success.
This accomplishment, though, wouldn’t let him hijack accounts of other users, unless he could find a way to learn phone numbers registered with CoffeecApp. Robert prodded some more until he found that the app was not protected against brute-force attempts and that it signaled when it processed a valid username.
“In the first request made during the reset process, the app sends your username, which is equal to your phone number, to their server. If this username exists, you will get a 200 response code,” the researcher explains.
“If you send a random username, the server is telling you ‘UserNotExists.’”
These discoveries allow a hacker to bombard the app with phone numbers and find the ones registered with the app. Combined with the password reset procedure, an attacker could hijack accounts and use the available credit on vending machines that support payments via the CoffeecApp mobile app.
There may be no such a thing as a “free lunch” but this apparently does not apply to vending machine coffee.
Image credit: Google
tags
November 14, 2024
September 06, 2024