Note: The name of local company asked very politely to have their name redacted so it has been replaced with KiwiServices as suggested by ChatGPT
On the evening of the 19th February 2025 I had an itch, an itch to do good in the world and to continue to polish my pen testing skills.
First I went through a list of trending apps on the Google Play Store, and looked for an “‘semi” popular app in New Zealand. After a bit of scrolling past the most popular apps I found it, KiwiServices. An app with under a 4 star rating (potentially indicating rushed development) and under 100k downloads.
I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.
After downloading the App onto my rooted (spare) phone, I connected it to HTTP Toolkit (shout-out to the creator Tim for giving me free pro) and started the process of creating an account so I could test the different functionalities of the app.
When I typed in my phone number to make an account I noticed it make an outgoing HTTP request checking if I already had an account.
https://kiwiservices.example.com/users?filter=["phone":"64123456789"]
Can you spot the potential issue?
Yes, you just had the same thought as me. If I removed the filter, what would happen? Would it return user details unrelated to my account, or would it just error out?
Well it actually turned out, neither. The request timed out after 30 seconds with no data returned. However this is still very odd as the request should have either given an error code or some kind of response.
My next thought was that what if the request was timing out because it was trying to do a computationally heavy task such as gathering multiple users details and send it to me.
After some trial and error I managed to finally make the request work.
https://kiwiservices.example.com/users?range=[1,1] // Requests the first user
This returned a list of user[s] containing the following data (censored) for what seemed to be a testing account.
[
{
"id": 1,
"email": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"phone": "64123456789",
"dateOfBirth": "2000-01-01T00:00:00.000Z",
"firstSeen": "0000-00-00T00:00:00.000Z",
"lastLoggedIn": null,
"Card": null,
"isNew": 0,
"cognitoId": "00000000-0000-0000-0000-000000000000",
"CustomerId": null,
"LoyaltyId": null,
"LoyaltyCard": null,
"RewardsMemberId": null,
"RewardsCard": null,
"isActive": 1,
"referralCode": "",
"fcmToken": null,
"allowTransNotif": 1,
"allowPromoNotif": 1,
"isVip": 0,
"session_id": 0,
"giftcard_id": 0,
"site_id": []
}
]
At this point I was confident that their entire user database was at risk, since a malicious actor could dump the entire user database by iterating through it with a large range. However it was midnight so I decided to report it the next day after I awoke.
Day 2
On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number. After talking with someone there they said they would talk to one of the big cheeses and get them to call me back.
After maybe 30 minutes a big wig called me back and I ended up sending them a vulnerability report via email including replication steps.
A while after that, I got an email back saying that they managed to replicate the issue and were working on a fix. We also agreed on a 30-day responsible disclosure period.
As of the 22nd of March they have fixed the vulnerability and the 30-day disclosure period has ended.
Timeline
19/02/2025 - Vulnerability Discovered
20/02/2025 - Vulnerability Reported
11/03/2025 - Vulnerability Fixed
22/03/2025 - 30 Day responsible disclosure ends
25/03/2025 - Writeup published