Security vulnerabilities in GO-JEK

Written by fallible | Published 2017/03/23
Tech Story Tags: startup | uber | indonesia | cybersecurity | security

TLDRvia the TL;DR App

GO-JEK is an Indonesian unicorn & Uber, Grab competitor

GO-JEK is an Indonesian unicorn transport startup, often seen as the most famous and biggest startup to come out of Indonesia. GO-JEK provides services like biketaxi, cabs, food delivery, mobile payments ticket booking and more.

At Fallible, one of the things we are working on is to try to accurately automate data leak detections even in complex logic flow scenarios and non-standard auth procedures used. During a security audit of GO-JEK public APIs consumed by mobile applications, we found multiple security vulnerabilities in GO-JEK. We contacted GO-JEK with the a sample of data leak for Mr. Nadiem Makarim, the CEO of GO-JEK (partial redacted screenshot below). The GO-JEK response in June 2016 was that they are fully aware of all security issues and fixes are in the current roadmap. We recently contacted GO-JEK and we were confirmed by their CISO that it was alright to do a public disclosure of the vulnerabilities now.

Vulnerability #1 Ride History Data Leak

You can get a list of all rides taken of any user using this API endpoint including the exact GPS co-ordinates. The Authorization token is present but is not being used for validation.

https://api.gojekapi.com/gojek/v2/customer/v2/history/551925748

History API

Vulnerability # 2 Order details Leak

Get the details of orders placed via Go-jek API:

https://gobox-api.gojekapi.com/v1/users/551925748/history

Orders

Vulnerability # 3 Users Data Leak

You can get user personal details by their Id number using this API endpoint. This includes their phone number, name, drivers personal details, location of pickup and drop and other ride related information.

And the response would contain phone number of rider and driver along with origin and destination coordinates.

findByOrderId

Unconfirmed # 4 Get other user’s Android notifications for GO-JEK

An unusual vulnerability we detected was that you could use another users id in an API endpoint and and you are all set to snoop on GO-JEK notifications meant for that user. We are researching this vulnerability to see if this can lead to several other stuff and would refrain from disclosing the API endpoint for this.

There are several other API endpoints that can be used to corrupt user data & disrupt operations. For example, you could change the reason of cancellation of rides for all cancelled rides for all users. We would refrain from mentioning the write access APIs at this point.

Published by HackerNoon on 2017/03/23
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy