Hacking more than 130 000 car worldwide in 5 minutes
Hello everyone, i am Ahmad Mansour, 18y old penetration tester from Lebanon ( Web, API, Network, Active Directory and abit of mobile basic pentesting ), without wasting time lets dive into the writeup of today.
As you can read the title, i was able to find a vulnerability that allowed me to track, access more than 130 000 car location through few steps.
Before we continue the writeup, let me highlights some points:
- I did not hack a specific car model itself; rather, the vulnerability exists in an application used by hundreds of thousands of cars.
- a vulnerability was in the application that those car owners are using
- i am reaching out to the company to help them fix the issue
The whole thing started when i was scrolling on tiktok as anyone, i saw an ad about a GPS car tracking software, i was watching the video just as a normal person, but a URL on the computer that the person was using, showed a url that contains the following
APP/home#/history?card=NUMBER&machineType=NUMBER&user=NUMBER
the first thing that came to my mind is just to try to insert the URL in my browser, maybe it had a insufficient authorization, allowing me to view the car details and REAL time location, but it was redirecting me with an error.
Most of us would stop here, but i thought it would be interested if i was able to see any car in REAL time.
So i took note of the URL, and started to try the application in different areas, a button caught my interest “Demo” which is a demo of the application, a quick tip here, always try to test Demo accounts/cards/ anything that might change your permissions, so the idea was here to try to enter the Demo section, maybe my privilege changes, or the application would change something in its behavior.
i just clicked the “Demo” section, and entered the same URL,
APP/home#/history?card=NUMBER&machineType=NUMBER&user=NUMBER
As you can see, i was able to see the location of a specific car, Today / yesterday / this week / last week
The first thing i tried to do when i saw the car real time tracking output, i decided to check what happened really that led to this vulnerability, i was analyzing the HTTP requests, and found a specific requests that added a cookie to my requests, the cookie was test=0
When I changed it to 1, I couldn’t access the details again. So, what I inferred is that setting the test to 0 or 1 occurs when entering the demo section of the website. This action downgrades your permissions to a demo account, which lacks sufficient enforcement, thereby enabling me to view other cars.
the App had more than 130 000 users, which probably most of them would have cars on the platform, i changed the IDs also, allowed me to view other people cars,
Another user cars:
As you can see the vulnerabilities allowed me to access these real time cars location, which is really a very sensitive and dangerous issue.
i am trying to reach out to the company to mitigate the issue, i did not disclosed any thing that relates to the app to not expose it.
Conclusion
1- This is for normal users, PLEASE stop downloading and using some random apps, most of the GPS tracking, IoT management apps are full of security vulnerabilities, the vulnerabilities i found did not took me more than 5 minutes to find, imagine if someone decided to use this for evil and escalating the attacks.
2- for pentesters/security people
- always test the same endpoint on multiple levels, account types, permissions, with the same URL, and keep checking what cookies are added, or behaviors changed
And finally if you would like to reach me out for any question, currently i am activating my linkedin account ( still not updated profile, but you can contact me there, https://www.linkedin.com/in/ahmad-mansour-2709a91b4/)