Introduction
I was inspired to write this post by an article that has been hanging on Habré for a long time . I want to apologize to the author right away, it’s impossible to think of a better name. As you all know, Pyaterochka actively advertises its loyalty cards. In the article above, we were told that scammers activate other people's cards and write off points. The hackers went further and instead of activating other people's cards, they simply began to hack users' personal accounts. What? It sounds even easier to activate cards, let's take a closer look.
A little about the security of personal accounts
As we can see, you can enter your personal account using your phone number and password, but not everything is so simple. After entering the data, a window appears for entering the SMS code, which was sent to the owner's phone.
It would seem how to hack this? It is impossible to iterate over the code, there are only 3 attempts, and the code is four-digit. We immediately discard this option, but the hackers somehow succeed, which means we will succeed!
Pyaterochka application
Like any other store with a loyalty program, the Pyaterochka chain of stores has its own application. Only the application is not simple, but with its own cockroaches in the code. Let's figure out what's wrong with the app.
You can also enter your personal account using a phone number and password, and an SMS confirmation comes from above, but there is one interesting point. The application "remembers" the account and the next time you try to enter, instead of the SMS code to the phone, it sends a push notification directly to the application. I will explain in more detail now. When you log into your account for the first time, you have to enter the code from the SMS to enter. If for some reason you decide to log out and log in again, then the second and subsequent times you will not receive the SMS code, and instead, the SMS code field will be filled in in the application. Wonderful! This is done beautifully, of course, but there is one huge drawback. I noticed a bug in the "Pyaterochka" application of version 2.12.1, possibly in other versions. What is the bug and how can I repeat it?
Below you can see two videos, they were not filmed by me, but they very clearly show all the problems of push notifications and application bugs.
i.imgur.com/BcLnANt.mp4
i.imgur.com/LIGOkBT.mp4
The first video shows how the hacker enters the login information, then receives an SMS on the phone and logs into his account. Then it exits and passes authorization again. The second time we can clearly see that no SMS comes to the phone and the input field is automatically filled with a push notification. "
In the second video, the attacker is already trying to log into an account that does not belong to him. He enters data, but he does not know the code from the SMS for obvious reasons. Then he removes the application from processes and starts it again. At this point, the application bug is clearly visible. A completely white window opens, after which the attacker logs out of the account. Then he enters the login data again and lo and behold, he receives a push notification! Why did this happen? You need to ask the application developers ...
Solution methods
Personally, I can advise developers to disable push notifications so that attackers could not hack accounts. Disable, of course, for a while until the problem is solved. I myself am not good at developing applications and I cannot advise anything sensible, but they still have not turned off push notifications.
Effects
Because of an error in the code, ordinary people suffer, namely, bona fide buyers. You can read angry reviews that points were stolen from people by following the link: vk.com/topic-19098821_24191218 . Below I will leave a couple of posts, in fact there are many more, but I think now I can not find some.
The problem of stealing points is very relevant and this business has been flourishing for at least a year. You can even find posts on a pick-up .
conclusions
There are no perfect applications, but this bug is terrible. I do not urge you to break the law and especially to steal something from someone! The post was created with the aim of fixing the bug and reaching out to the developers of the application (I sent the letter to them more than a month ago and the result was zero).
All good and do not make such mistakes in the code! "