Including an issue of full card details leak
Cleartrip is an Indian online travel bookings company provides services such as flights, train and hotels bookings for users in India and some other middle -east countries.
We discovered multiple vulnerabilities in public internal APIs of Cleartrip including -
- Users full credit/debit card information leak including CVV and card expiry date.
- Users itinerary and personal information data including name, phone number, email for hotels, flights and Cleartrip local bookings.
- Users personal information leak for failed or in-process transactions.
- An ability to mass cancel all flight bookings made via Cleartrip.
The vulnerabilities have since been fixed. We intimated the issues to Cleartrip starting 28 Feb 2017 along with our responsible disclosure timeline. Cleartrip was responsive throughout the process of fixing the issues and we helped with verification of fixes and to report other side-effects that emerged from applying the fixes. We received communication that Cleartrip has fixed all vulnerabilities reported by us on 3 May 2017. Here is our initial tweet contacting them since we were not able to find any security related email.
One notable issue had a HTTP header which was leaking a URL which contained a serial itinerary id and the endpoint itself was not protected. The card details leak happened on an API endpoint which was supposed to pre-fill card information for different payment gateways in a hidden form. The data below has been redacted for user data privacy. We would publish the detailed technical details of the issues on our own blog sometime later.
A HTTP POST request made to the API Endpoint ‘https://www.cleartrip.com/payment/XXXXXX/redirect' with a data containing merchantTransactionId which is simply an integer in this case and could be run in a loop would spit out complete card details in a HTML form response.
<input type=”hidden” name=”vpc_SecureHash” value=”3A189D2ABE416355E604C371005445AE6AF93AF138A52E5FCA37B9FFF185ED45"/><input type=”hidden” name=”vpc_SecureHashType” value=”SHA256"/><input type=”hidden” name=”vpc_CardNum” value=”41476<Redacted>363"/><input type=”hidden” name=”vpc_AccessCode” value=”0<Redacted>EEE0"/><input type=”hidden” name=”vpc_MerchTxnRef” value=”CBC0227<Redacted>Q<Redacted>V”/><input type=”hidden” name=”vpc_TicketNo” value=”59<Redacted>0"/><input type=”hidden” name=”vpc_CardExp” value=”2110"/><input type=”hidden” name=”vpc_CardSecurityCode” value=”<Redacted>"/></form><br />
We would again like to remind users that assuming compliances like PCI-DSS would make you safe from attacks is not intelligent. Compliances are done with the sole objective of checking boxes and move on. The compliance processes most of the time lack the required time & skills to uncover vulnerabilities that might be exploited by a sophisticated hacker. The same goes for talking about ‘being safe from OWASP top 10’. There is a lot more to security vulnerabilities than OWASP top 10.
At Fallible, our key focus area is automation of detection of generic security vulnerabilities in APIs. We believe security vulnerabilities like these corresponding to HTTP APIs needs a technological solution available to everyone running a web service and not a process based solution like bug bounties that only benefit corporations actively running a bug bounty and exploiting the purchasing power difference around the world waiting for someone to report an issue. There have been advances towards making ‘intelligent WAFs’ but most attempts have been unsuccessful. We have been spending some time thinking about the problem in the past few months and are testing various alternative strategies for the same.