Oh Mi-Taxi what have you done? (Elastic Search Data Exposure)

(Note.. This article was published after the 30 day disclosure period in order to give mi-taxi / Mississauga Taxi a chance to resolve the disclosed issues.)


Intro

Mississauga Taxi (mi-Taxi) is a taxi company located in Mississauga, Ontario, Canada, who's mobile application uses an unsecured ElasticSearch server. That unsecured server was exposing the personal information of Drivers and Passengers including the Credit Card details.

Info

Let's start with an old Taxi joke:

Who earns a living driving their customers away?  A taxi company with an insecure mobile app and server.

As usual, the discovery of an initial source of leaky data in a server can lead to a treasure trove of issues in an application. The Mi-Taxi (Mississauga Taxi, Ontario, Canada) is just one of those examples.

During the routine testing of an REMM profiling tool (Redis, Elasticsearch, Mongo, MQTT) I came across an exposed ElasticSearch database, which was exposing sensitive data of it's Drivers and  Customers, including Credit Card details, which were being collected, transmitted, and stored in the clear.

After a more thorough investigation, it became clear that several more issues exist within the mi-taxi application.  Those issues include:

  • Unsecured ElasticSearch
  • Stored clear text Credit Card information in notes sections (Note in violation of PCI compliance)
  • No Encryption (Https/TLS) in communictions between Mobile App and Server
  • API key for gocode database is stored in the mobile app (Unused due to mi-taxi using http to 3rd party vendor which now mandates https)
  • django debug is enabled on the server, and provides details on how to guess paths/endpoints/error conditions.

Initial Entry Vector - Unsecured Elasticsearch

Elasticsearch is a great tool for indexing diverse sets of data, however, the risk with great technology like E.S., is the insecure implementation without fore thought for security.       mi-taxi is exactly one of those implementations. Exposed on the ES server were were approx 32,000 records with data of:

(Sample reduced dataset of each record)

{
"ride": [
    {
      "payment_method": "",
      "distance_m": 26530,
      "actual_driver_arrival_to_customer": "2018-08-03 14:40:44",
      "duration": "21 mins",
    }
  ],
  "booking": {
    "booking": {
      "passenger": {
        "first_name": "",
        "last_name": "",
        "phone2": "",
        "email": "",
        "phone": "",
        "remarks": "Remarks: 4514XXXXXXXXX109 ex 4/19 (XXX)"
      },
      "toLocation": {
        "lat": "43.6817587",
        "address": "Pearson Airport Terminal 1 (Ground Level Column R4), Mississauga",
        "lng": "-79.6112996",
      },
      "carType": {
        "code": "VAN",
        "name": "MINI VAN 5 PASSENGERS",
      },
      "actualPickup": {
        "lat": "43.563XX",
        "address": "28XX Galleon Crescent, Erin Mills, Mississauga",
        "lng": "-79.7XX21XX9999999",
      },
        "paidamount": null,
        "notes": "$58 ",
        "prepaidtotals": null,
        "payment_type": "PostPaid",
      },
      "ride_info": {
        "image": "http://[server]/archive/public/rideinfo/images/5bdf5b909bf04
072db13826dc89f1c79b4.png",
        "google_url": "https://maps.googleapis.com/maps/api/staticmap?key=......",
        "distance": "19.97 km"
      },
      "driver": {
        "last_name": "Madhi",
        "photo": "",
        "first_name": "Hayder",
        "email": "h.aXXXXXX@yahoo.com",
        "phone": "647588XXXX",
        "token": "9a1045e156fXXXX",
      },
      "vouchers": null,
      "bookingTerminal": [],
      "payments": [],
      "carseats": null
    }
  }
}

Data Analysis

within the ~32,000 records the following items are of note (based on values observed in the records)

  • Customer
    • First Name
    • Last Name
    • Email
    • Phone #
    • Pickup/Dropoff Address
  • Driver
    • Vehicle Info
    • First Name
    • Last Name
    • Email
    • Phone
  • Ride
    • Notes
    • Payment Type / Voucher
    • Remarks (Some Containing CC info)

Mobile App Analysis

using standard tools like Packet Capture, it is quickly evident that the mobile application is not using HTTPS/TLS and any data sent to the server (including credit cards which can be added to your profile) are sent in clear text.

POST /system/public/api/v2/remote/customers/mob/Login HTTP/1.1
Api-Key: LCZpccLZtbq4yJtcHSABujaS8zNXXXXXXXX

domain_id=1&password=PassXXXXXXX&email=bwiXXXXX%40gmail.com&

{
    "responseCode": "SUCCESS",
    "msg": "SUCCESS",
    "token": "MUfp38C4BvYGk7jtmPbxytVOu6kFYWOb",
    "payment": [],
    "payment_methods": [{
        "id": 1,
        "name": "Credit Card",
        "short_name": "credit_card"
    }, {
        "id": 2,
        "name": "Pay Driver (cash)",
        "short_name": "pay_driver_cash"
    }, {
        "id": 3,
        "name": "Pay Driver (debit)",
        "short_name": "pay_driver_debit"
    }, {
        "id": 4,
        "name": "Pay Driver (credit)",
        "short_name": "pay_driver_credit"
    }, {
        "id": 5,
        "name": "Voucher",
        "short_name": "voucher"
    }],
    "customer": {
        "id": 273229,
        "domain_id": 1,
        "first_name": "Bob",
        "last_name": "Westmoore",
        "email": "bwistheone@gmail.com",
        "phone": "4168781930",
        "phone2": "4168781930",
        "phone3": null,
        "phone4": null,
        "phones": null,
        "photo": "",
        "password": "$2y$10$T0D9aOvyBRQJ5GaEoDjJWelz4TQ2TlsdFufDpYR461y.zyi\/.KGvW",
        "company_id": 1,
        "department_id": 0,
        "corporate": null,
        "registered": 0,
        "hasdead": 0,
        "remember_token": "MUfp38C4BvYGk7jtmPbxytVOu6kFYWOb",
        "is_guest": 0,
        "driver_id": 0,
        "tablet_id": 0,
        "created_at": "2019-03-11 10:58:08",
        "updated_at": "2019-03-11 10:58:27",
        "discount": null,
        "extra_charges": null,
        "iscompany": 0,
        "cnumber": null,
        "cexpiry_date": null,
        "csecurity_code": null,
        "ctoken": "",
        "fav_driver_id": null,
        "remarks": null,
        "discount_1": 0,
        "discount_2": 0,
        "discount_3": 0,
        "extra_1": 0,
        "extra_2": 0,
        "extra_3": 0,
        "deleted_at": null,
        "payment_method": 2,
        "is_active": 1,
        "phone_verified": 1,
        "booking_counts": 0,
        "old_id": 0,
        "old_company_id": 0,
        "no_account": true
    },
    "message": "SUCCESS"
}

Summary

If you have used Mississauga taxi and paid by credit card, you may wish to notify your card issuer to be aware of potential fraud.  

Show Comments