All for a ride: Techies flag major vulnerabilities in Ola app

Ola says it has fixed the bugs in its latest update, but Bengaluru-based ethical hackers claim they can still access users' accounts if devices are connected to a public network

You might have won yourself a 100 per cent cashback on your first recharge on the Ola Wallet. However, a group of techies here claim the transaction might have exposed you to a slew of cyber threats.

Shubham Paramhans and Prateek Panda, who work with start-ups Kuliza and AppKnox, respectively, are ethical hackers. In the past, they have tested several mobile applications, highlighted concerns to companies and even helped solve these.

A month ago, when the duo tried such an experiment on the mobile app of Ola (formerly Ola Cabs), they found the app "so vulnerable that we don't even want to call it a hack", says Panda.

"I was monitoring my phone traffic from a proxy server. While doing that, I saw Ola API (application programme interface) calls going from my phone (since I was booking a cab)," said Paramhans in a blog post titled 'Fooling the Startup of the Year - Hacking into Ola Wallet'.

"After seeing those flashing binary data going from my system, I forgot my weekend project and started tweaking and reverse engineering Ola API, which resulted in breaking into their money transaction system and I was able to recharge my Ola Wallet with any amount," he said in his blog post.

In the past, Panda and his team at AppKnox, incubated at Microsoft Ventures Accelerator, have discovered vulnerabilities in Facebook, Google, Microsoft, Skype, Yahoo and PayPal, says the company website.

Panda, Paramhans and the team at AppKnox - all in their early-20s - tried several transactions on the app after hacking into it. While Ola does not allow users to recharge their wallets with less than Rs 100, the two managed to top up their wallets even with denominations of Rs 10 and Rs 20.

According to Ola, all the bugs pointed out by the hackers have been fixed in an update of the app that's been released. "There is no threat to data and information security whatsoever to users," it stated. "Like any technology company, we progressively issue updates, which include bug fixes from time to time. We urge users to update their apps to the latest version."

While the hackers acknowledged the new version of the app has fixed the bug that had allowed them to top-up the wallet, they said they were still able to access user names and passwords when devices were used in a shared network.

"All this takes less than three minutes to perform. Imagine you are at a public event, like a media conference or a hotel or even at the airport and connected to a public network, any hacker can start sniffing your data and exploit it, and this is not something difficult to do," said Panda in an email to Business Standard, detailing the steps for conducting the hack.

In their blog posts, the hackers said they had made multiple attempts to contact Ola but received a standard reply, that the company was aware of the bugs. According to an email, a snapshot of which was posted by AppKnox on its website, an Ola official replied to their emails, saying, "Our alerting mechanism also caught Subho Halder (chief technology officer of AppKnox), who was trying to test our APIs. The only reason for not considering AppKnox for know (sic) is because we already know about a huge backlog of bugs and the fix for those would be going live soon. So, the scan you have initiated could catch a couple of bugs (we already know about them) as expected."

Globally, online companies encourage ethical hackers to test their mobile apps and highlight the bugs, if any. For example, social networking major Facebook offers 'bug bounty' to hackers who can flag security-related issues in its apps, which in many cases are as high as $300,000. According to reports, Laxman Muthiyah, a 22-year-old website developer from Chennai, has been rewarded by the social networking platform twice in the past month with $22,500 (Rs 14 lakh) for ferreting out bugs in their system. In February this year, 17-year-old security researcher Indrajeet Bhuyan had found a problem with mobile instant messenger WhatsApp, which allowed anyone to see users' profile photos, even though the settings allowed only friends to view these.

Ola has reiterated that all the bugs pointed out by the ethical hackers have been fixed in an update of their app. "There is no threat to to data and information security whatsoever to users," Ola said. "We urge users to update their apps to the latest version."