The Anatomy of the Careem Hack
We live in the age of advancement and every second comes with an innovative outcome, but with that innovation comes its associated risks. Technology in no way is perfect, if it would have been, then it would have been self aware. Cyber security is an important aspect of technology which if ignored can have disastrous repercussions. Its the just the first quarter of 2018 and we have been seeing companies like Deloite, Uber and now Careem being compromised by hackers.
This article is specifically about a vulnerability that Team Veiliux identified in Careem’s systems 18 months ago which was similar to the vulnerability that exposed Careem’s data to hackers but not the exact one.
Let’s dig into a little background of this. On April 23rd, Careem announced that it detected a breach in its systems and accepted that the attackers had gained access to the customer and captain data due a vulnerability that allowed attackers access to its infrastructure
Referring to this announcement, my team Veiliux had also identified a similar vulnerability in Careem which allowed attackers access to some very critical and sensitive data if the booking id of the user was known. The vulnerability existed in Careem’s API due to the following two reasons
- Open API Calls
- Rate limitation on booking ID endpoints
It all started when we were able to identify an API endpoint that was open for call by attackers. We started to explore the possibilities of exploiting that feature for proof of concept purposes before we reached out to Careem. So we brute forced and identified a few Booking IDs
After collection of some valid booking IDs, we automated the exploitation scenario on the API endpoint to exploit the vulnerability and retrieve the information of the user. To our luck, it worked like a charm and we were able to harvest all bits of critical information including
- Ride Information
- Booking ID
- Car type
- Pickup Location
- Dropoff Location
Below are some of the proof of concept screenshots that we sent to Careem
Similar to the ones above, If the attacker knew the contents of the booking ID, they could easily harvest the information of the rider and the driver per say. Immediately after identifying the vulnerability, we reached out to Careem via twitter as per below
We reached out to them a number of times via emails as well but there was no reply. Upon contacting Careem’s Security head after the news broke out recently, we were informed that the flaw was fixed upon our report and had no direct connection with the vulnerability that lead to the breach. I personally think that the vulnerability we identified did somehow aid in the breach.
However respecting the response from careem and upon their permission i decided to write and post this article. Now what can we learn from this incident. First of all, every company big or small has been or will at some point in time breached and there are no two ways about it, Uber and Careem are one of the biggest examples of it. Secondly if a company has been breached and they announce it publicly, no one should start bashing them because they had the guts to announce it and tell their customer, however it should be done swiftly and in earlier time. So, how can this be prevented for future references
The solution to all of this and many other problems is GDPR which addresses the regulations for companies on how to handle customer data. The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU and all around the world.
Hoping that new and emerging companies may learn from this incident and keep on creating a good name for their nation and themselves. It is also to be notified that team Veiliux included a number of individuals who helped report this issue
- Shahmeer Amir — CEO Veiliux
- Shawar Khan — Information Security Consultant
- Hassan Khan — Information Security Consultant
- Khizer Javed — Information Security Consultant
It is also to be noted that Team Veiliux had no intervention in the breach that took place this exploit was not used unethically whatsoever.
Thank you for taking time to read this article. Until next time
