With the government encouraging vehicle sharing and carpooling, new services have begun which allow people to hire vehicles as per their demand. One of them is Bounceshare, which offers users the ability to book a scooter in their vicinity, use it for their commute and later drop it off at their destination.
However, recently, a digital flaw was uncovered in the Bounceshare app by security researcher Ehraz Ahmed. One of its Internal Application Programming Interface (API) can log the hacker into any Bounceshare account, bypassing the users’ phone number into the request, and in response, it returns with the Access Token, and RiderId. This Access Token can then be used to access any Bounceshare account.
Bounceshare's user base of approximately 2 million users was at risk of getting their information leaked on the web. Hackers and Telemarketers can mine its data by automating a script using a phone number dump found online.
The vulnerability could also have allowed hackers to access the users’ Bounceshare account and their sensitive information, such as Driving License, selfies, phone number, or their email addresses. If the user had linked his Paytm account, then it was also possible for the attacker to see the user's balance, and book rides from the user's account.
Ahmed uploaded a video that demonstrates how he produced the flaw.
Moneycontrol reached out to Bounceshare to know if there was any loss of data due to the bug. The company acknowledged that there was a bug as highlighted by Ahmed, but it was fixed before getting exploited.
"A technical bug was detected in our system about a potential vulnerability to some user information. We immediately launched an investigation and fixed the bug to ensure that there is no risk to user data because of the identified bug," the statement read.
Bounceshare further stated that the bug's vulnerability was limited as an impersonator would need to be a registered user and needs to know the phone number of the targeted registered user to enable any access to their account. This would leave an audit trail in case of any misuse.
Further, the bug did not allow any direct access to the app, therefore any exploitation would have required the impersonator to make multiple API calls to recreate the bike booking process without the app, requiring deep programming expertise.
Bounce also claims that it does not collect any sensitive data, including email-ids, bank account, credit card, or other financial information.
"Bounce has strong security processes and measures in place and is supplemented by frequent comprehensive security audits through an external firm. User data security and privacy are of utmost importance to us, and we are committed to being proactive and investing heavily in keeping it secure.", the company said.