Disclaimer*: The articles shared under 'Your Voice' section are sent to us by contributors and we neither confirm nor deny the authenticity of any facts stated below. Parhlo will not be liable for any false, inaccurate, inappropriate or incomplete information presented on the website. Read our disclaimer.
Did you ever think about travel around places without any penny? YES? We just did it!
Due to low attention over the security of an online system, local companies may don’t know they are compromised and hackers are enjoying the fruit on the back end. This is the most modern attack vector nowadays. It goes by the idea of “keep digging and don’t let the authorities know nor make it public.”
X and Y were traveling for GSEA competition via local transport famous in Pakistan. While booking tickets online, X thought why not to test the application. X managed to find a flaw in the payment application programming interface (API) on its website and Android app allowing anyone to book a ticket for almost for free and travel around the country without getting noticed since the printed ticket would show the traveler has paid the full amount.
We bought a PKR 500 ticket from Peshawar to Rawalpindi city in just PKR 100 and repeated the same step again for X from Sialkot to Islamabad but this time we bought a ticket for just 50 after a few days to confirm if the bug still exists.
We managed to print tickets and we traveled to our destinations, upon arrivals we visited travel manager and paid the remaining fee but they didn’t get our point as they thought this is some issue in system end so it is okay and they didn’t even bother to ask how, when and why? They simply said, “okay, thanks!” So at the end, we concluded that we can travel for free as well. Yes, we managed to travel on PKR 0 from any terminal to any destination, all for FREE!
So we contacted the CIO of the bus service to explain about the vulnerability in the API of their payment system on both web and mobile version of the websites, initially they were much interested and appreciated our approach and they also promised to disclose it with some cash reward which was just to pay the worth of this vulnerability, but when the CIO patched the vulnerability and asked us to test, we did again upon official request this time and we experienced that bug was fixed.
CIO fixed date to send the bounty in reward of reporting this critical vulnerability in API but till date CIO is underground and totally gone. We were not looking for money as we are good with our own services and individual work but as CIO promised so we were happy that a local brand have some good thinking approach and they know how team ethically reported this issue and how this vulnerability means to the bus service and can effect badly in financial terms, but they proved us wrong.
This post is just to create awareness for brands and developers to make sure to pentest your applications while some bad guys can come in and hurt you in many ways, our job was to report and we did it to them, and this is not our first time to report critical issues. We have reported many vulnerabilities in top brands where they have appreciated our ethical approach and now we are into pen testing their apps, a good approach isn’t it?