Sokowatch, a Kenyan startup that has raised over $4M has massive security flaws

BSMZOMQSOZ · November 7, 2019, 8:58am

I hope that someone can pass this along to someone at the company. I tried emailing them but no one ever got back to me.
[ul]
[li]The company’s issue board can be found online at this IP address: http://45.33.113.234/issues . This board has customer information amongst other information. The board can be easily found by doing a Google Search using terms such as “Sokowatch customer login”, “Sokowatch login”, “Sokowatch bugs” e.t.c. [/li][li]To view customer phone numbers for example, you can do go to the issues and look for"customers are in need of phone".You can also access this directly from Google by searching “sokowatch customers in need of phone”. Past versions of this board are on the internet archive.[/li][li]Their android app requires a phone number to login in. Some of their versions(can be found on https://apkpure.com ) do not implement 2FA authentication. As such you can login into a customer’s account by just having their phone number. [/li][li] The underlying backend code generates bearer token by simply using a valid customer phone number. Anyone who has a customer’s phone number(retrieved above), can get an access token which allows him/her to access their apis. You can get that by sending a post request to this endpoint https://www.sokowatch.com/oauth/token with the following payload { “customer”: true, “grant_type”: “password”, “phone_number”: "07…” } and generate a valid bearer access token.[/li][li]Roles && permissions have not been properly implemented- Anyone with a customer bearer token can access the following endpoints [/li][ol]
[li] /orders/:id [/li][li]/customers [/li][li]/customer_recommendation/recommendations?id=customerId (It might [/li]not be the exact path but there was valid payload returned)

For 1, and 3, the id’s are integers(suspect them to be autogenerated id’s from the db). As such, someone can loop from one to the end of the list to get all the data.

[/ul]

[/ol]

data-lord · November 7, 2019, 12:33pm

Most of Kenyan web apps are not secure at all. This is because every dick and tom googles “How to code …” Learns to use a framework/language. Later starts a software development job,

sakwa · November 8, 2019, 5:10am

BSMZOMQSOZ:

I hope that someone can pass this along to someone at the company. I tried emailing them but no one ever got back to me.
[ul]
[li]The company’s issue board can be found online at this IP address: http://45.33.113.234/issues . This board has customer information amongst other information. The board can be easily found by doing a Google Search using terms such as “Sokowatch customer login”, “Sokowatch login”, “Sokowatch bugs” e.t.c. [/li][li]To view customer phone numbers for example, you can do go to the issues and look for"customers are in need of phone".You can also access this directly from Google by searching “sokowatch customers in need of phone”. Past versions of this board are on the internet archive.[/li][li]Their android app requires a phone number to login in. Some of their versions(can be found on https://apkpure.com ) do not implement 2FA authentication. As such you can login into a customer’s account by just having their phone number.[/li][li]The underlying backend code generates bearer token by simply using a valid customer phone number. Anyone who has a customer’s phone number(retrieved above), can get an access token which allows him/her to access their apis. You can get that by sending a post request to this endpoint https://www.sokowatch.com/oauth/token with the following payload { “customer”: true, “grant_type”: “password”, “phone_number”: "07…” } and generate a valid bearer access token.[/li][li]Roles && permissions have not been properly implemented- Anyone with a customer bearer token can access the following endpoints [/li][ol]
[li]/orders/:id [/li][li]/customers [/li][li]/customer_recommendation/recommendations?id=customerId (It might [/li]not be the exact path but there was valid payload returned)

For 1, and 3, the id’s are integers(suspect them to be autogenerated id’s from the db). As such, someone can loop from one to the end of the list to get all the data.

[/ul]
[li] [/li]

[/ol]

These guys should look for you and give you a contract to help identify those issues and verify when they are all fixed

conoiseur · November 8, 2019, 5:44am

BSMZOMQSOZ:

I hope that someone can pass this along to someone at the company. I tried emailing them but no one ever got back to me.
[ul]
[li]The company’s issue board can be found online at this IP address: http://45.33.113.234/issues . This board has customer information amongst other information. The board can be easily found by doing a Google Search using terms such as “Sokowatch customer login”, “Sokowatch login”, “Sokowatch bugs” e.t.c. [/li][li]To view customer phone numbers for example, you can do go to the issues and look for"customers are in need of phone".You can also access this directly from Google by searching “sokowatch customers in need of phone”. Past versions of this board are on the internet archive.[/li][li]Their android app requires a phone number to login in. Some of their versions(can be found on https://apkpure.com ) do not implement 2FA authentication. As such you can login into a customer’s account by just having their phone number.[/li][li]The underlying backend code generates bearer token by simply using a valid customer phone number. Anyone who has a customer’s phone number(retrieved above), can get an access token which allows him/her to access their apis. You can get that by sending a post request to this endpoint https://www.sokowatch.com/oauth/token with the following payload { “customer”: true, “grant_type”: “password”, “phone_number”: "07…” } and generate a valid bearer access token.[/li][li]Roles && permissions have not been properly implemented- Anyone with a customer bearer token can access the following endpoints [/li][ol]
[li]/orders/:id [/li][li]/customers [/li][li]/customer_recommendation/recommendations?id=customerId (It might [/li]not be the exact path but there was valid payload returned)

For 1, and 3, the id’s are integers(suspect them to be autogenerated id’s from the db). As such, someone can loop from one to the end of the list to get all the data.

[/ul]
[li] [/li]

[/ol]

Loopholes all over. With a tool like postman one can easily manipulate these things

SwagMargeddon · November 8, 2019, 6:58am

2fa, requiring authentication for specific routes etc ni simple things… why didn’t they do it?
ata kama wewe ni full-stack overflow developer these are not difficult things to implement

Big_G · November 9, 2019, 8:07am

:D:D it will come a time that companies in Kenya will cry. A customer can simple sue this company for handling their personal data in such a careless fashion. Can you imagine what you can do with this sort of data starting from impersonation. Anyway what do i know

slevyn · November 9, 2019, 8:47am

watch this guy lose, borrow, and regain over 57.000 in less than 4 minutes robin hood app… kucheza na pesa online lazima uvae radioactive helmet ama utalia

https://www.youtube.com/watch?v=A-tNkuYV4_Q

kadinal · November 9, 2019, 10:05am

ni vile tu this companies in kenya don’t have credit card numbers and the like all you will find are just data that is a hustle to monetise

Coronatities · November 9, 2019, 10:09am

Na huduma number?