
Hacking Voi Scooters: How I Created $100k Worth of Free Rides - JensRantil
https://fant.io/p/hacking-voi/
======
fwr
Mirror:
[https://web.archive.org/web/20190928130035/https://fant.io/p...](https://web.archive.org/web/20190928130035/https://fant.io/p/hacking-
voi/)

~~~
slacka
Another mirror here: [http://archive.is/GXpH6](http://archive.is/GXpH6)

------
social_quotient
Reminds me the time we integrated a web survey with giftbit (api driven gift
card service). While developing this for our client I had this nagging sense
that we needed to rate limit or block multiple submissions by a single email
but the client wanted it to ship ASAP and not take the extra time to have some
validation flow.

Day 1 - 8 legit surveys each getting $50 amazon card Day 2 - just over a
hundred with 90+ being the same gmail account. Day 3 - out of credits,
campaign over.

Between this and the Voi write up I think it’s important to have a dark mind
in the room to avoid stuff like this being so trivial. Some hacks you hear
about and the first thought is about how gifted or smart the hack/er was,
other times you just think how dumb the developer was. I’ve been on both sides
of this and while I’m not proud of it I think the stories like these keep
people on their toes.

~~~
easytiger
> block multiple submissions by a single email but the client wanted it to
> ship ASAP and not take the extra time to have some validation flow.

Surely that would have taken you ten minutes at most? I can't imagine anything
more trivial. I can't imagine that the client wanted multiple survey results
from the same person either.

~~~
Danieru
I upvoted you because in my heart I agree. Yet now having shipped commercial
games my mind tells me otherwise. The simplest behaviour can cascade into
bugs, edge conditions, more feature requests, and for some features the base
implementation is never the hard part.

Any feature which fundamentally transforms the final result, say by blocking a
transaction, will be one of those cascading features. Sure just adding a "good
enough to be 80% there" could be simple. Yet what happens when the client
turns around and says "You delivered a broken app to me, I tried submitting my
survey 3 times and only the first time was it accepted".

Sure this feature can be accommodated. The client might ask for special
handling of test email accounts. Or an admin panel. Or a report & moderate
workflow where they can override the block.

Getting to the core issue: the client did not see the value in the proposed
work. If you are getting paid and spending extra time unpaid to give value to
clients, you better be doing so because the client is going to be thankful.

Imagine a scenario where the OP ignored the clients wishes, implemented the
feature anyway, tanked the negatives, all so that the client would not lose
money to fraud, and thus prevent the client from seeing why the feature was
needed in the first place. Lots of work, negative reward for the programmer.

~~~
easytiger
> Getting to the core issue: the client did not see the value in the proposed
> work.

The Op sounds like they were trying to graft more money from the client to me.
The email was already stored. A trivial check would have reduced the
triviality of the exploitation.

Not to mention that multiple survey results from the same person cannot be
assumed to be what the client wanted.

~~~
QualityReboot
Your attitude is the difference between a junior developer and an experienced
one.

------
femto113
This doesn’t feel like much of a “hack”, it just leveraged the fact that an
email address is all that’s needed to create an account and get a promo code.
in the end he just has 1000s of accounts with $10 of promo credits each. His
plan is to switch accounts every time he runs out of credits, seems like the
easiest solution from Voi’s perspective would be to expire promo credits after
a few weeks.

------
zitterbewegung
Was the content on the site taken down? It appears by clicking on the link
that we are being directed to the blog itself not the blog post.

------
squarefoot
I'd be willing to pay any reasonable amount to use one of these for short
trips, but please make a model using bigger wheels or any bump in the road
would either destroy them or my back, probably both.

~~~
croisillon
the bigger model is called a bicycle

~~~
xeromal
At least where I live, the advantage of the scooters/e-bikes is that you can
take a lunch break without coming back sweaty riding a bike and looking like a
serial killer in a meeting.

------
dijit
Lots of these scooters in Malmo, Sweden and I see local kids getting rides for
free by "ending the ride" while pulling down the throttle as the scooter is
being unlocked.

I've never done it, I've just heard about it, quite a lot.

------
blacksoil
Would the author be in trouble by posting this? I really hope he would not..
I'm just afraid there's some sort of clause upon registration against this
sort of hacks..

~~~
ryanlol
He's in Sweden, which is a reasonable country. It is very unlikely that he'd
get into any kind of trouble over posting this.

~~~
esoterica
Does a “reasonable” country not prosecute people for committing crimes?

~~~
lostmyoldone
In a reasonable country, the prosecutors office and the police are supposed to
prioritize crimes that cause the greater danger to people, and/or to the
society. If prosecuting is unlikely to increase safety and well being, the
resources are better used where such positive effects can be achieved.

Prosecutors and police alike certainly doesn't have a perfect track record in
this regard, there's still quite some room for improvement.

~~~
esoterica
So we should just not prosecute fraud/theft and other nonviolent or white
collar crimes at all?

------
rolltiide
> One would think that the more well-funded companies had thought more about
> their tech and would be good at preventing fraud. However, that isn't the
> case.

There is a mostly Western idea that money means you have considered everything
right and are rewarded from that

This is such a huge distortion and I don't understand it, almost seems like it
is a necessary religious doctrine to make people comfortable with pursuing
this system

------
cheeze
IMO cert pinning isn't all that important.

The number of painful outages caused by cert pinning versus the actual
security benefit isnt worth it IMO. But the truth is that random app dev
doesn't have their shit together enough to do pinning right.

Don't believe me? AWS recommends the same

[https://aws.amazon.com/blogs/security/how-to-prepare-for-
aws...](https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-
its-own-certificate-authority/)

If you're Chase, or PayPal, sure. But if you're random startup with a crappy
app, don't bother IMO.

------
K0nserv
I read this on LinkedIn a few days ago and what immediately struck me is how
irresponsible the post is. 90 day disclosure deadlines and the practice of
responsible disclosure is well established.

In the author's own timeline it's clear he gave Voi 9 days to respond before
publishing all the details. This kind of conduct reflects poorly on the whole
security community and I assume someone told the author this, resulting in the
unpublishing of the post.

------
raihansaputra
Post seems to be deleted.

~~~
labawi
Wasn't good either.

------
eskpe
Original removed, web archive:
[https://web.archive.org/web/20190928130035/https://fant.io/p...](https://web.archive.org/web/20190928130035/https://fant.io/p/hacking-
voi/)

------
xkcd-sucks
Original article

[https://web.archive.org/web/20190928113147/https://fant.io/p...](https://web.archive.org/web/20190928113147/https://fant.io/p/hacking-
voi/)

------
bufferoverflow
If you're gonna commit multiple crimes, at least do it for a significant
amount of money. This is just not worth it, and trivial to get caught.

------
labawi
Please don't make these "Potential improvements"

\- use SSL pinning.

\- block different GMail emails from the same Google user.

\- prevent different users from using the same credit card.

These are user hostile. I see no legitimate reason to do so. Though limiting
coupon use with same base email/card/.. is reasonable.

\- require more information than just an email address.

Maybe you need to (e.g. theft) but coupon reuse prevention is overreaching.

\- don't email the promo codes in plain text. ... It could also be built as a
deep link into the app

Is this assuming iOS use and opening the mail on the phone?

EDIT:

If you disagree, please state the reason.

To elaborate:

Paying for your kid, spouse or friend from a single card seems reasonable. Not
everyone has lots of cards.

As for email canonicalization: What if you lose access to your account, want
one for kids, separating work/personal .. don't do it by default unless you do
have a good reason. You're just adding minor inconveniences and possibly
serious vulnerabilities (using random email forwarders along with typical
email password resets).

Certificate pinning to deny user access - your APIs should be secured by
making them secure and it will actually work. Data itself (also) belongs to
the user, not (only) to the service provider. Some may disagree, but laws in
some countries state so.

~~~
joshuaissac
What is user hostile about SSL pinning? Would the user not want to know when
the certificate does not match up?

~~~
labawi
EDIT: The user will not be informed the certificates don't match up. He
already knows as it is meant to dissuade user's traffic inspection.

It makes traffic inspection of your own devices hard. If you warn and ask the
user, then fine, but I believe it was meant as mandatory.

