if i would have actually unlocked all bikes then yes, they would have been under my account and i could have been in deep trouble. fortunately, (I made sure) that did not happen :)
Back in 2019 I reverse engineered the lyft bikes api to unlock them from my bed. It's one of my favorite stories, and after telling it dozens of times I finally decided to write it up in its full technical glory.
I used to love learning about security through blog posts/writeups, so I tried to include as much detail as possible. Let me know if you like this style!
Believe it or not, straight to jail! Just kidding, great writeup. I know it's not groundbreaking, but does surprise me how many products don't bother with rate limiting controls.
i actually think a quick-fix was setting a rate limit. which sadly thwarted my brute-forcing, but did not actually fix the race condition itself. though it's a very fair "kid, stop it" response until they fixed the race condition.
Rate limiting is a stopgap, not a fix. I would have expected a transaction lock in Postgres (SELECT FOR UPDATE) to serialize the requests. Or a Redis mutex if they are worried about database contention.
Used Charm for a Shell AI cli assistant (https://github.com/ibigio/shell-ai) - bubble tea and lip gloss. It was so pleasant to use (an absolute charm), super easy syntax highlighting and streaming updates. Absolutely love their work.
