Ethical Hacking Stories — Denial-of-Service to BiciMAD Bikes

A vulnerability in the public bike rental service in Madrid allowed an attacker to book all the available bikes

In 2014, Madrid city made a great commitment to mobility deploying its own bicycle rental service called BiciMAD.

With BiciMAD you can take a bike from any of the 264 available stations

This story will show you how I found a vulnerability in the BiciMAD service that allowed an attacker to book all the available bikes.

Disclaimer: The opinions expressed in this story are the author’s own and do not reflect the view of BiciMAD company. The incidence was properly notified and pertinent measures have been taken to solve it. Sensitive information is hidden in the following screenshots.

The BiciMAD Go Case

In the fall of 2020, Madrid added 454 free-floating bikes in a new modality called BiciMAD Go. The difference with BiciMAD bikes is that they don’t need to be docked at a station. You can leave them anywhere within the allowed area.

The most convenient way to find one of these bikes is using the official BiciMAD App.

The markers with a number represent BiciMAD stations, while the others indicate BiciMAD Go bikes

You can book a BiciMAD Go bike to avoid another user taking that bike in the next 10 minutes.

Booking a bike will give you enough time to get to the bike location

One day, a question arose in my head:

Could I book more than one bike at the same time?

Allowing a user to book more than one bike at the same time could compromise the availability of the bikes, so I expected some kind of control.

There is a control to prevent a user from booking more than one bike in the same period of time

This should be a server-side control, but it wouldn’t be the first time I’ve seen these controls on the client-side, where they are easy to bypass.