It was possible to do systematic account takeover for one of Norway's biggest parking companies.
Published: | Mon, June 11, 2018, 06:40 |
Category: |
Security
|
Tags: |
Security Monday
Information leak
Account takeover
OWASP 2017 A5
|
The parking company OnePark had a security issue that made it possible to systematically iterate through and change the username and password for all of their customers. By logging in afterwards one could collect personal data and even register your car's licence plate to be paid by that account.
Who: | OnePark |
Severity level: | Medium |
Reported: | November 2017 |
Reception and handling: | Fair |
Status: | Fixed |
Reward: | A thank you |
Issue: | Information leak with personal information |
OnePark is one of Norway's biggest parking companies. They have many parking lots where they use automatic number-plate recognition (ANPR). You can just park your car, and then after picking it up you have 48 hours to go online to pay your bill. You don't even have to do any registration up front.
I got a tip that OnePark sends out the passwords for their accounts in clear text - and that is just never a good sign. So I decided to take a quick peek at their site.
Most stuff looked good, but I hesitated when I saw that the web form for updating the user profile actually sent the user's ID back. The user ID was that classic integer that we so often see and therefore - when there's a vulnerability - opens up for an enumeration attack.
I didn't want to destroy anyone else's data so I created myself a another new account and tested by passing that user ID in when doing a profile update with a third e-mail address and a new password. The site didn't complain, and voilΓ - I was able to log in to the other account with that e-mail address and password. π±βπ»
But of course, now the data was all replaced by mine. So I removed all other form fields than the username (e-mail address) and password from the profile update request. This worked just fine.
Inside the other person's profile it was now possible to get hold of all the personal data, including any licence plate numbers and see if there was payment information added to the profile. The payment information was securely stored at a third-party site.
Since the user ID was an integer one could easily have set up a script to steal all the data. And not only that, one could also of course do vandalism by updating/removing the data. What's more - if one's a bit bold - one could register the licence plate of the car and remove it after the parking was paid for. I did not check if this would be easily spotted and trackable for either the customer or OnePark.
I found a contact form where I described the issue with the account takeover.
I got an automatic reply that they had received the e-mail.
I got a phone call (even though I didn't give them my phone number) from one of the chiefs of the company that apparently was responsible for OnePark's web solution.
He thanked me a lot and clearly was proud that they had fixed the issue in just three hours. Three hours? Well, my message took 9.5 days to reach the people that could actually fix the issue.
While the handling of this company was good, OnePark seems to have quite a way to go on how to receive and handle issues around their online security.
Just after the phone call I also received an e-mail from the same chief - again thanking me and telling how they dealt with the issue.
Just like the security issue with the power company Norgesnett this is a case where the authorization check for updating the profile fails. And because of the usage of an integer as user ID it was possibly to systematically exploit the issue.
It is quite common for software developers to trust the authentication, but then forgetting the authorization check and user input sanitization.
And yet again we can see our personal data open for anyone to stealβ¦