Having recently entered the world of EV cars, I needed to get myself an account with ChargePlace Scotland whilst I awaited the installation of my home charger unit.  Initially, I had signed up for an account with my mobile phone however I wasn't finding the UX to be great, so I headed off to my laptop to check my account after my 1st initial public charging session.  Like many web applications, sometimes before you even go through any testing methodology you get a sense that there is going to be some sort of issue. That's what it felt like when loaded up this application.

Finding the IDOR

As I went to sign into the application, I realised that I hadn't actually saved my password for my account in my password manager on my mobile phone when I had initially created my account, therefore a password reset was required.

Upon receiving the email, I noted that the password reset link contained a six digit numerical value which I assumed was my account.  Once logged in with my new password, I copied and pasted the link for a 2nd time but this time I modified the six digit numerical value,  decreasing it by the value of 1.

This resulted in the following messages being displayed:

/user/reset/291987/1695831155/eQ1F_dUwJbVTBdZb-oodroim6JWvV13NYbisozIiVhc/login" method="post" id="extended-user-pass-reset" accept-charset="UTF-8">
This is a one-time login for [[REDACTED]] and will expire on Thu, 28/09/2023 - 16:12.

/user/reset/291986/1695831155/eQ1F_dUwJbVTBdZb-oodroim6JWvV13NYbisozIiVhc/login" method="post" id="extended-user-pass-reset" accept-charset="UTF-8">
This is a one-time login for Mr[[REDACTED]] and will expire on Thu, 28/09/2023 - 16:12

I have redacted the information that was rendered as this contained the firstname and surname of the user associated with each of the six digit numerical values.  At this stage, it would have been quite easy to enumerate the names of all users registered on the application using BurpSuites intruder tool.

CSV Export

Feeling curious, I started proxying all the requests the application was making via BurpSuite.  One section that caught my attention was the ability to download my charging data - this included the date, duration, site location, type of charge, kWh consumed and the cost.  This download was in CSV format.  Again, the request to the backend data used the six digit numerical value associated with a users account.  Not wanting to access data that didn't belong to me, I made a 2nd account on the application. Using this 2nd account I used the CSV Export feature, captured the request in BurpSuite, changed the numerical value to that of my genuine account and before I knew I had a downloaded a CSV file which held my own charging data.

At this point, the IDOR that I had discovered would allow me to enumerate PII relating to all users of the application and download their charging session information.  Time to make ChargePlace Scotland aware.

Disclosure Timeline

  • IDOR discovered on Thursday 28th Sept 2023
  • Contacted ChargePlace Scotland on Monday 2nd October via telephone - spoke to a customer help representative giving a high level overview of the issue, however they didn't ask for any of my contact details, nor would they provide me with a contact number for the security team - they assured me that a message would be passed on.
  • I was hesitant in believing that the information would actual get to the team that needed to know, so I also emailed the admin email address listed on their website.  
  • 14:01 - Received Call from Joshua Smith at Swarco (they run and maintain the ChargePlace charging and infrastructure) and I explained the issues discovered to him.  Being a developer, Joshua was able to fully understand the information that I provided him and talked through the methodology of how I found the issue and also the implications of disclosing PII.
  • Wednesday 4th October - Issue resolved

I have included a copy of my initial email below, as might be useful for future reference or if you need a rough idea how to approach a company if you happen to find an vulnerability :

*Good Morning,

I am an Information Security Consultant and Penetration Tester who specialises in web application security. As a new EV owner, I have recently signed upto the ChargePlace Scotland website however during this process I noted that an Insecure Direct Object Reference (IDOR) vulnerability is present on your website. This vulnerability would allow a malicious user to obtain personal data, namely the forename and surname of all users registered on the website, furthermore a second issue is present that would allow for all charging data for each individual user to be downloaded.

I initially reported this issue to staff (today 2nd October) via the helpline telephone number on the ChargePlace Scotland website, however I felt that the person I spoke to did not fully understand the issues that I was describing to them and they were unable to provide me with any additional contact information related to the team that deals with the security of website, as such I am also contacting you via email to ensure that you are aware of these issues.

My primary motivation in contacting you is to ensure the security and integrity of your website and the data it handles (including my own data), not for monetary gain. I believe in responsible disclosure and I am reaching out so that you can fix the issue promptly to ensure that user data is secured correctly.

Please feel free to contact me and I will happy to provide you further information in regards to these issues, this can be done either by email or via telephone

Sincerely,

Chris Young*

Key Points

  • This wasn't a paid security test or a Bug Bounty.
  • I created a 2nd account throwaway account in order to disclose the information stored on my geninue account.  This way, I was only obtaining the charging information that related to my sessions and no one else.
  • Approaching companies and organisations when you discover such issues can be quite daunting. You want to disclose the vulnerability, however there is always some fear that your going to called out for attempting to hack the website.  This is where your approach matters.  As shown above, ensure you make them aware of what you do and be 100% transparent that you aren't looking for financial enumeration.  Sure, it would be great if they did do that, but this wasn't a Bug Bounty.
  • Don't go hacking on stuff you haven't got permission to. I found this issue simply by interacting with the website as a normal user.