Hacker News new | past | comments | ask | show | jobs | submit login
Hacking Voi Scooters: How I Created $100k Worth of Free Rides (fant.io)
86 points by JensRantil 15 days ago | hide | past | web | favorite | 52 comments

Another mirror here: http://archive.is/GXpH6

Reminds me the time we integrated a web survey with giftbit (api driven gift card service). While developing this for our client I had this nagging sense that we needed to rate limit or block multiple submissions by a single email but the client wanted it to ship ASAP and not take the extra time to have some validation flow.

Day 1 - 8 legit surveys each getting $50 amazon card Day 2 - just over a hundred with 90+ being the same gmail account. Day 3 - out of credits, campaign over.

Between this and the Voi write up I think it’s important to have a dark mind in the room to avoid stuff like this being so trivial. Some hacks you hear about and the first thought is about how gifted or smart the hack/er was, other times you just think how dumb the developer was. I’ve been on both sides of this and while I’m not proud of it I think the stories like these keep people on their toes.

> block multiple submissions by a single email but the client wanted it to ship ASAP and not take the extra time to have some validation flow.

Surely that would have taken you ten minutes at most? I can't imagine anything more trivial. I can't imagine that the client wanted multiple survey results from the same person either.

I upvoted you because in my heart I agree. Yet now having shipped commercial games my mind tells me otherwise. The simplest behaviour can cascade into bugs, edge conditions, more feature requests, and for some features the base implementation is never the hard part.

Any feature which fundamentally transforms the final result, say by blocking a transaction, will be one of those cascading features. Sure just adding a "good enough to be 80% there" could be simple. Yet what happens when the client turns around and says "You delivered a broken app to me, I tried submitting my survey 3 times and only the first time was it accepted".

Sure this feature can be accommodated. The client might ask for special handling of test email accounts. Or an admin panel. Or a report & moderate workflow where they can override the block.

Getting to the core issue: the client did not see the value in the proposed work. If you are getting paid and spending extra time unpaid to give value to clients, you better be doing so because the client is going to be thankful.

Imagine a scenario where the OP ignored the clients wishes, implemented the feature anyway, tanked the negatives, all so that the client would not lose money to fraud, and thus prevent the client from seeing why the feature was needed in the first place. Lots of work, negative reward for the programmer.

Remindes me of the lamentations of a friend working at a webdev company. Step 1: Their customer wants a "Don't send me e-mail" option for users of the system. Step 2: Customer goes into rage mode since an important users doesn't get some mails. Step 3: Do not to punch the customer in the face because that user had the "Don't send me e-mail" option set - and the customer could see that from their admin panel.

When you are new you should do exactly what the client says. When you are experienced you should get clients that are willing to pay extra for your experience.

> Getting to the core issue: the client did not see the value in the proposed work.

The Op sounds like they were trying to graft more money from the client to me. The email was already stored. A trivial check would have reduced the triviality of the exploitation.

Not to mention that multiple survey results from the same person cannot be assumed to be what the client wanted.

Your attitude is the difference between a junior developer and an experienced one.

This might actually delay things if you work at some bureaucratic company where you need to discuss with another department whenever you want to add a table to the database or something.

Also, while keeping track of email addresses is simple, making such a system hard to exploit isn't all that trivial, with there being wildcard and throwaway email addresses and so on.

He said they already stored the email address, and that the offender used the same one. At least the most trivial of checks would have deterred the person most likely.

This to me would be a fundamental feature of the system - multiple survey results from the same person are of no value.

True, but we raised the issue also that we needed to solve the dynamic alias name+@gmail for example, along with the free email providers @mailinator, all of this got rejected as a single feature. So yes just blocking dups on it’s own is trivial, it was wrapped in an epic around some other points.

But I want to echo that your comment is accurate, maybe not 10 minutes, but it’s a rounding mistake worth of time on it’s own. The results got emailed as soon as POST so we didn’t keep a db along side the app. Keeping the list of used emails would have been easy but it would mean keeping a log/db/redis/flat file somewhere. That ends up eating a little more time.

I think what we have illustrated here is exactly what happens in the bigger hacks. “Why didn’t they just... it takes 20 minutes to do that” and yes it does but it was packaged probably with other things that got killed.

I think a lot of time a client wants the developer to implement business rules, but these change so frequently that developers should not automate it, but make operations easier. In this case the business rule was “every submission gets a gift card” but this business rule needs exceptions. So giving out gift cards should be done manually but should be easy to do and this would prevent problems like these as well as other probably fraudulent behavior.

The amount of time to develop a feature makes no difference if the client didn’t want to pay for the time it would take to develop it.

It's all in how you present it. If you say "hey, I just thought of X, do you want to do it?" It's much less likely to get approval.

If you say, "hey, for the cost of a gift card or two we can prevent a single person from disrupting our campaign" it's much more likely to get approval.

And agree, this should be extremely trivial to implement and if the project was quoted prior to development should be included in the initial scope.

We can't prevent all malicious behavior but we can prevent the easy stuff.

Ask the question: How many gift cards should go to the same email address?

Maybe they had no database to store emails? They just called an API to give out the giftcard. No longer 10 minute change.

It probably wouldn't have helped, creating an email account is easy enough.

This doesn’t feel like much of a “hack”, it just leveraged the fact that an email address is all that’s needed to create an account and get a promo code. in the end he just has 1000s of accounts with $10 of promo credits each. His plan is to switch accounts every time he runs out of credits, seems like the easiest solution from Voi’s perspective would be to expire promo credits after a few weeks.

Was the content on the site taken down? It appears by clicking on the link that we are being directed to the blog itself not the blog post.

I'd be willing to pay any reasonable amount to use one of these for short trips, but please make a model using bigger wheels or any bump in the road would either destroy them or my back, probably both.

the bigger model is called a bicycle

At least where I live, the advantage of the scooters/e-bikes is that you can take a lunch break without coming back sweaty riding a bike and looking like a serial killer in a meeting.

In Los Angeles, we have little bike scooters with bigger wheels and faster speeds. They're probably exactly what you're looking for.

Lots of these scooters in Malmo, Sweden and I see local kids getting rides for free by "ending the ride" while pulling down the throttle as the scooter is being unlocked.

I've never done it, I've just heard about it, quite a lot.

Would the author be in trouble by posting this? I really hope he would not.. I'm just afraid there's some sort of clause upon registration against this sort of hacks..

"I had nothing to do one Sunday evening, so I played around with reverse-engineering the different scooter apps' APIs to see if I could find any loopholes. One would think that the more well-funded companies had thought more about their tech and would be good at preventing fraud. However, that isn't the case."

That sounds an awful lot like the author thinks that what they were doing is fraudulent. But I seem to have misplaced my Law Degree, so I couldn't say.

Personally, I am not sympathetic with attempts to "hack" a business' systems, whether by social engineering, attempting to exploit loopholes, or full-on exploiting security vulnerabilities. It may be legal, I cannot say, but when done in bad faith it is nothing more than parasitism. Or if you prefer, "exploitative."

Now of course, if the author has no intention of using these fraudulently obtained promo codes, and this is supposed to be some kind of white-hat "security research," that's another matter.

But this doesn't really look like it is being conducted for public benefit, e.g. to protect the privacy of users. And unsolicited testing of other people's systems seems like a legally perilous activity.

It's very weird, he seems to admit defrauding the system and bragging about. I don't think it's a very wise idea.

A lot of hackers I read about have a great deal of bravo about things like this. Yeah sure you found a vulnerability in a companies API and got something for free. What I look forward to see is his next hack, where he somehow gets past the part where the company sends men with guns to his home to throw him in jail. Hopefully he can use the free rides to go someplace without a extradition treaty.

Really he only managed to hack a small portion of the system and ignored the societal safeguards that are far more robust.

"bravado" :-)

My bad, I'll blame autocorrect

Not bad!

That's the beauty of crowd-sourcing. Fee free to use words that seem right, and if it turns out that there is a slight adjustment to be made, everyone learns for free.

Author must be a fan of rap music. Look no further than Bobby Shmurda and Tekashi 69.

IANAL but this is in their user agreement [0]:

1.9 Unauthorized use, tampering and hacking.

You must not tamper with, attempt to gain unauthorized access to, modify, hack, repair, any Voi material or hardware, source-codes, information, including the Voi App, Website and Scooter, for any purposes. The Voi App, Website and the Scooter may only be used for the purposes pursuant to this Agreement.

If that's valid in court, that's another matter.

It looks like the Sweden Penal Code has a definition of data breach and jail time [1]

0 - https://www.voiscooters.com/voi-user-agreement-12rr/

1 - https://iclg.com/practice-areas/cybersecurity-laws-and-regul...

EDIT: Not discussing the technical details of this post because they are quite boring, to be honest. That's Web Security 101 and, given so many previous incidents, far from surprising that these companies aren't handling it well.

He's in Sweden, which is a reasonable country. It is very unlikely that he'd get into any kind of trouble over posting this.

Does a “reasonable” country not prosecute people for committing crimes?

In a reasonable country, the prosecutors office and the police are supposed to prioritize crimes that cause the greater danger to people, and/or to the society. If prosecuting is unlikely to increase safety and well being, the resources are better used where such positive effects can be achieved.

Prosecutors and police alike certainly doesn't have a perfect track record in this regard, there's still quite some room for improvement.

So we should just not prosecute fraud/theft and other nonviolent or white collar crimes at all?

Yeah, for actual crimes.

Julian Assange might disagree.

That case was an odd one, for sure, but it was also so odd that one can't really use it as comparison. The only thing that's comparable was the pirate bay thing. I'm not going to say it was caused by innoffical, illegal, pressure from some influential country or person, but sometimes it feels like the only plausible explanation.

Not only did the prosecutor act strangely, but also, reading accounts of what Assanges lawyer or witnesses has said in court ( regarding the extradition request ) is ... cringy more often than not.

> One would think that the more well-funded companies had thought more about their tech and would be good at preventing fraud. However, that isn't the case.

There is a mostly Western idea that money means you have considered everything right and are rewarded from that

This is such a huge distortion and I don't understand it, almost seems like it is a necessary religious doctrine to make people comfortable with pursuing this system

IMO cert pinning isn't all that important.

The number of painful outages caused by cert pinning versus the actual security benefit isnt worth it IMO. But the truth is that random app dev doesn't have their shit together enough to do pinning right.

Don't believe me? AWS recommends the same


If you're Chase, or PayPal, sure. But if you're random startup with a crappy app, don't bother IMO.

I read this on LinkedIn a few days ago and what immediately struck me is how irresponsible the post is. 90 day disclosure deadlines and the practice of responsible disclosure is well established.

In the author's own timeline it's clear he gave Voi 9 days to respond before publishing all the details. This kind of conduct reflects poorly on the whole security community and I assume someone told the author this, resulting in the unpublishing of the post.

Post seems to be deleted.

Wasn't good either.

If you're gonna commit multiple crimes, at least do it for a significant amount of money. This is just not worth it, and trivial to get caught.

Please don't make these "Potential improvements"

- use SSL pinning.

- block different GMail emails from the same Google user.

- prevent different users from using the same credit card.

These are user hostile. I see no legitimate reason to do so. Though limiting coupon use with same base email/card/.. is reasonable.

- require more information than just an email address.

Maybe you need to (e.g. theft) but coupon reuse prevention is overreaching.

- don't email the promo codes in plain text. ... It could also be built as a deep link into the app

Is this assuming iOS use and opening the mail on the phone?


If you disagree, please state the reason.

To elaborate:

Paying for your kid, spouse or friend from a single card seems reasonable. Not everyone has lots of cards.

As for email canonicalization: What if you lose access to your account, want one for kids, separating work/personal .. don't do it by default unless you do have a good reason. You're just adding minor inconveniences and possibly serious vulnerabilities (using random email forwarders along with typical email password resets).

Certificate pinning to deny user access - your APIs should be secured by making them secure and it will actually work. Data itself (also) belongs to the user, not (only) to the service provider. Some may disagree, but laws in some countries state so.

What is user hostile about SSL pinning? Would the user not want to know when the certificate does not match up?

EDIT: The user will not be informed the certificates don't match up. He already knows as it is meant to dissuade user's traffic inspection.

It makes traffic inspection of your own devices hard. If you warn and ask the user, then fine, but I believe it was meant as mandatory.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact