RedBus + MakeMyTrip bug bounty (requests tampering)
Hello guys! I am Vishnu Thulasidoss.
Couple of months back when I was interning in Chennai, for some reasons I was supposed to travel to my hometown. So, I was looking for a bus ticket on Redbus.
They were charging around 1300 Rs for a single seat, and around 1200 Rs for the double seat. To save that extra 100 Rs, I decided to go with the double seat. But, I couldn’t sleep that night, because the other guy was snoring all night. I was thinking about a way to avoid such disturbance, that’s when I got an idea.
Idea:
So basically, when a user selects a seat and navigate to the payment page, the seat will be locked for some period of time (known as lock-in period), to prevent multiple users from booking the same seat. Under the hood, an api request should be sent from the client to the server. This api request should be responsible for locking the seat. If I could capture this request for a seat, and replay it at regular intervals, then I can possibly lock the seat forever.
So, I decided to test my hypothesis. I opened my laptop and fired up burp suite. Then I navigated to redbus.in and simulated the process of booking the seat, while recording the traffic in burp. Within few minutes of intercepting the requests, I found that, a post request is made to the endpoint, “https://redbus.in/…/…” which is locking the seat. I retested it for confirmation. Now, I wrote a python script that resends this request every 10 minutes (lock-in period), when deployed to cloud.
This lets me travel freely in two seats without any disturbance just by paying for a single seat. But, I can’t use it practically. Even if I lock the seat forever, those greedy bus conductors would pick up someone from the roads who are waiting for a bus. So, technically the other seat will always be filled.
So, I decided to report the bug. I recorded a proof of concept to reproduce this bug. To spice up things, I locked all the seats in a bus programatically while recording the PoC. Then, I emailed their security team about the bug. In few days, I received an amazon voucher worth 10,000 Rs.
I also tested the same bug on MakeMyTrip as well. It worked again. So, I reported the bug, and received a bounty of 13,500 Rs from MMT after tax deductions along with Hall of fame.
https://www.makemytrip.com/pwa/hlp/v3/bugbounty > Thanks
I tested this again on ClearTrip, and no surprise, it worked again. But, they refused to accept the report, and claimed that it was intended to be a feature and not a bug :)
Most companies would’ve missed out such an edge case. Try your luck in similar platforms. If you find the same bug and received a bounty, Just ping me on LinkedIn or let me know in the comments. I would be happy to know :)
Check out this video for detailed scene. Do subscribe :)
Happy hunting!
