How Team SecurityWall Hacked & Traveled FREE

How Team SecurityWall Hacked & Traveled FREE

Did you ever think about traveling around without any penny? YES? We just did it

Due to low attention on securing an online system, local companies may not know that they are compromised and hackers are enjoying the fruit on the back end. This is the most modern attack vector nowadays, keep digging, and don't let the authorities make it public.

SecurityWall team tends to secure Pakistan's cyberspace and secure our local applications' online existence, We have helped many local brands but this story is just to aware the local audience and local developers about how an application that seems secure isn't secure from every end.

Hisham Mir and Babar were traveling for the GSEA competition via Local transport famous in Pakistan known as Daewoo. While booking tickets online but as a hacker mind Hisham thought why not test the application? Hisham managed to find the flaw in Daewoo's payment application programming interface (API) on its website and Android app allowing anyone to book a ticket for almost free and travel around the country without getting noticed since the printed ticket would show the traveler has paid the full amount.

Daewoo Pak Motors (Pvt.) Ltd is a subsidiary of Daewoo Bus Global Corporation of Korea known for its luxury bus service all over Pakistan with thousands of people traveling per day however when it comes to securing its servers it looks like the company does not give an inch.
So What happened:

We bought a PKR 500 (5 USD) ticket from Peshawar to Rawalpindi city for just PKR 100 and repeated the same step again for Hisham from Sialkot to Islamabad but this time we bought a ticket for just 50 (0.5 USD) after few days to confirm if the bug still exists.

Daewoo Hacked Ticket

We managed to print tickets and we traveled to our destinations, upon arrival we visited the travel manager and paid the remaining fee but they didn't get our point as they thought this is some issue in the System end so it is okay they even didn't think to ask how?when?why? they simply said okay Thanks! So in the end, we concluded that we can travel for free as well. Yes, we managed to travel on PKR 0 (0USD) from any terminal to any destination, all for FREE!

So we contacted the CIO of Daewoo to explain the vulnerability in the API of their payment system on both the web and mobile versions of the websites, initially, they were much interested and appreciated our approach and Daewoo also promised to disclose it with some cash reward which was just to pay the worth of this vulnerability, but when Daewoo CIO patched the vulnerability and asked us to test we did again upon official request this time and we experienced that bug was fixed.

CIO fixed a date to send the bounty in reward for reporting this critical vulnerability in API but to date, CIO is underground and totally gone, we were not looking for money as we are good with our own services and individual work but as CIO promised so we were happy that a local brand has some good thinking approach and they know how team ethically reported this issue and how this vulnerability means to Daewoo and can affect badly on Daewoo Financially, but they proved us wrong.

Note: This post is disclosed as we talked to Daewoo Officials about disclosing it for awareness after the bug was fixed! and our intentions were just to report them which we did and Daewoo fixed it!

This post is just to aware brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to report and we did it to Daewoo, and this is not our first time to report critical issues. We have reported many vulnerabilities in top brands where they have appreciated our ethical approach and now we are into pen-testing their apps, a good approach isn't it?

Oh I forgot to mention we Stood as 2nd Runners Up in GSEA all over Pakistan, an event due to which this all happened

Security Is JUST an Illusion ;)

Conclusion
  • While Integrating the Payment System, Pentest your system.

  • Code Audit is a MUST nowadays.

  • Hire a good support team to communicate well.

  • Security Consultant will be a Plus point.

We are a team of well-known Security Researchers who have eager to go deep into your algorithms and find critical flaws. Let us know if you need Assessments of your application