As someone who uses public transportation regularly, I rely on it to get me where I need to go quickly and efficiently. That’s why I was surprised to learn that I could have travel for free on Namma Metro due to a critical bug that I discovered.
Namma Metro In November 2022 started QR based ticket system. The QR code ticketing system was introduced to offer a more convenient and faster way for passengers to access the metro system. With the QR code ticket, passengers don’t need to wait in long queues to buy physical tickets. Instead, they can simply purchase the QR ticket using Namma Metro mobile app or through Whats APP.
While testing the Namma Metro mobile app, I noticed the Purchase QR Ticket Option. Immediately set it up my Burpsuite with Android studio (Rooted AVD with frida setup). Started capturing the request from Namma Metro mobile app.
- Navigated into Purchase QR ticket
- Entered the Starting and Destination Point
- Capture the request and I observe that unitFare and totalFare Parameter is passing the value of te ticket on the API response Body
- Then Changed the value to Rs.1 and Forwarded the request
- The manipulated fare was updated
- Then redirected to the payment page and done the payment through UPI
- After the Payment got successful and got the ticket for just Rs.1
As a security researcher, I knew that this was a critical bug that needed to be reported immediately. I reached out to the Namma Metro team and provided them with all the details of the bug and how it could be exploited. They responded quickly and thanked me for bringing the issue to their attention.
Upon further investigation, the Namma Metro team discovered that the bug was caused by a misconfiguration in their payment gateway system. They immediately fixed the issue, and I was impressed with their swift action and dedication to ensuring the safety and security of their passengers.
I am proud to have contributed to making Namma Metro a safer and more secure system for all its passengers.
Thanks for reading!….Happy Hacking!
Linkedin: Lohith Gowda M