How Team SecurityWall Hacked & Traveled FREE - SecurityWall

30 March 2017

How Team SecurityWall Hacked & Traveled FREE

Disclose by SecurityWall
Daewoo Pakistan Hacked

Did you ever thought about traveling around without any penny? YES? We just did it

Due to low attention over securing of an online system local companies may dont know but they are compromised and hackers are enjoying the fruit on back end. This is the most modern attack vector now a days, keep digging and dont let the authorities nor make it public.

SecurityWall team tends to secure Pakistan cyber space and secure our local applications online existance, We have helped many local brands but this story is just to aware local audience and local developers about how an application which seems secure isn't secure from every end.

Hisham Mir and Babar were traveling for GSEA competition via Local transport famous in Pakistan known as Daewoo. While booking tickets online but as hacker mind Hisham thought why not to test the application. Hisham managed to find flaw in Daewoo's payment application programming interface (API) on its website and Android app allowing anyone to book a ticket for almost for free and travel around the country without getting noticed since the printed ticket would show the traveler has paid the full amount.


Daewoo Pak Motors (Pvt.) Ltd is a subsidiary of Daewoo Bus Global Corporation of Korea known for its luxury bus service all over Pakistan with thousands of people traveling per day however when it comes to securing its servers it looks like the company does not give an inch.
So What happened:

We bought a PKR 500 (5 USD) ticket from Peshawar to Rawalpindi city in just PKR 100 and repeated the same step again for Hisham from Sialkot to Islamabad but this time we bought ticket for just 50 (0.5 USD) after a few days to confirm if the bug still exists.
Daewoo Hacked Ticket

We managed to print tickets and we traveled to our destinations, upon arrivals we visited travel manager and paid the remaining fee but they didnt got our point as they thought this is some issue in System end so it is okay they even didnt thought to ask how?when?why? they simply said okay Thanks ! So at end we concluded that we can travel for free as well. Yes we managed to travel on PKR 0 (0USD) from any terminal to any destination, all for FREE !

So we contacted the CIO of Daewoo to explain about the vulnerability in the API of their payment system on both web and mobile version of the websites, initially they were much interested and appreciated our approach and Daewoo also promised to disclose it with some cash reward which was just to pay the worth of this vulnerability, but when Daewoo CIO patched the vulnerability and asked us to test we did again upon official request this time and we experienced that bug was fixed.

CIO fixed date to send the bounty in reward of reporting this critical vulnerability in API but till date CIO is underground and totally gone, we were not looking for money as we are good with our own services and individual work but as CIO promised so we were happy that a local brand have some good thinking approach and they know how team ethically reported this issue and how this vulnerability means to Daewoo and can effect badly on Daewoo Financially, but they proved us wrong.


Note: This post is disclosed as we talked to Daewoo Officials about disclosing it for awareness after the bug was fixed ! and our intentions were just to report them which we did and Daewoo fixed it!

This post is just to aware brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to report and we did it to Daewoo, and this is not our first time to report critical issues. We have reported many vulnerabilities in top brands where they have appreciated our ethical approach and now we are into pentesting their apps, a good approach isn't it?.

Oh i forgot to mention we Stood as 2nd Runners Up in GSEA all over Pakistan, an event due to which this all happened

Security Is JUST an Illusion ;)

Conclusion
  • While Integrating Payment System, Pentest your system.
  • Code Audit is MUST now a days.
  • Hire good support team to communicate well.
  • Security Consultant will be Plus point.

We are team of well known Security Researcher who have eager to go deep into your algorithms and find critical flaws

Let us know if you need Assessments of your application

Ping us at support@securitywall.co