Nothing is safe in a hacker conference: not even the coffee machine

The 6th of July 2019 “LeHack”, one of the oldest French underground hackers’ event took place in The Cité des Sciences et de l’Industrie, in Paris. The morning was super cool, I had the chance to meet and chat with a lot of people. After the meal, I started to feel tired so I decided to have a coffee and that’s where this story begins.

Introduction

image

This coffee machine is quite standard, so I paid my coffee with my credit card and I was ready to leave when I saw that.

image

It’s written “Pay with your smartphone! Download the Coffee cApp”. Wait, what? I can pay my coffee with an Android app! I’m a hacker at a hacker conference with plenty of time. It’s time to do my thing.

image

Description of the CoffeecApp in the Play Store

I downloaded this <sarcasm>very useful</sarcasm> app and started to use it. Spoiler: The next 2 hours were pretty productive.

Account Takeover

image

Response of the account creation request

First I created an account. Interesting, in the response I received an UserId.

image

Password reset request

After that, I reset the password of my account. In the POST request, we have a parameter called “Password” which is your current password, a parameter called “ConfirmPassword” which is your new password and wait?! What?! a parameter called “UserUId”. The value of this “UserUId” parameter is equal to the value of “UserId” in the account creation response. What is happening if I replace my UserUId with the UserUId of someone else? Let’s try!

To verify if I can reset the password of another account I created a second account. I reset the password of this second account and in the POST request to the endpoint /User/ResetPassword I replaced the UserUId value by the UserUId of my first account. Bingo, it’s working! The password of the 1st account has been reset!

Ok Elliot, that’s cool but to takeover the account you need to have the UserUId of the victim.

Account enumeration

image

image

In the first request made during the reset process, the app sends your username, which is equal to your phone number, to their server. If this username exists, you will get a 200 response code.

image

image

If you send a random username, the server is telling you “UserNotExists”.

I sent everything to the Intruder in Burp Suite and damn! There is no rate limit, you can brute force all the valid usernames and so enumerate all the accounts. By chaining the 2 vulnerabilities we can now takeover all the accounts of the apps.

Pin brute force

Last but not least, I found another vulnerability in the app. When you create an account, they send you a pin to validate your account.

image

This is the request sent by the app to validate the pin entered by the user. Did I told you there is no rate limit on the server? As a consequence, you can brute force the valid pin.

Conclusion

Ffs, you don’t need to connect everything, an app for your coffee machine is useless.