GO-JEK is an Indonesian unicorn transport startup, often seen as the most famous and biggest startup to come out of Indonesia. GO-JEK provides services like biketaxi, cabs, food delivery, mobile payments ticket booking and more.
At Fallible, one of the things we are working on is to try to accurately automate data leak detections even in complex logic flow scenarios and non-standard auth procedures used. During a security audit of GO-JEK public APIs consumed by mobile applications, we found multiple security vulnerabilities in GO-JEK. We contacted GO-JEK with the a sample of data leak for Mr. Nadiem Makarim, the CEO of GO-JEK (partial redacted screenshot below). The GO-JEK response in June 2016 was that they are fully aware of all security issues and fixes are in the current roadmap. We recently contacted GO-JEK and we were confirmed by their CISO that it was alright to do a public disclosure of the vulnerabilities now.
You can get a list of all rides taken of any user using this API endpoint including the exact GPS co-ordinates. The Authorization token is present but is not being used for validation.
https://api.gojekapi.com/gojek/v2/customer/v2/history/551925748
History API
Get the details of orders placed via Go-jek API:
https://gobox-api.gojekapi.com/v1/users/551925748/history
Orders
You can get user personal details by their Id number using this API endpoint. This includes their phone number, name, drivers personal details, location of pickup and drop and other ride related information.
And the response would contain phone number of rider and driver along with origin and destination coordinates.
findByOrderId
An unusual vulnerability we detected was that you could use another users id in an API endpoint and and you are all set to snoop on GO-JEK notifications meant for that user. We are researching this vulnerability to see if this can lead to several other stuff and would refrain from disclosing the API endpoint for this.
There are several other API endpoints that can be used to corrupt user data & disrupt operations. For example, you could change the reason of cancellation of rides for all cancelled rides for all users. We would refrain from mentioning the write access APIs at this point.