Automotive service O2O was raging, the product safety who to pay attention-vulnerability warning-the black bar safety net

ID MYHACK58:62201566393
Type myhack58
Reporter 佚名
Modified 2015-08-31T00:00:00


Off to 2 0 1 5 years 4 months, our country motor vehicle retains the quantity has reached 2. 6 4 million vehicles, in the face of nearly a trillion level of automotive after-market, all kinds of automotive service O2O platform competing to rise, 2 0 1 4 years O2O automotive after-market field related to the wind investment and financing cases up to 6 7, 2 0 1 3 year 1 0 times, the total amount is a rough estimate of up to one hundred billion yuan. At the same time, we found that, in the face of the car after the service market in full swing O2O platform wars, but very few manufacturers focus on their product security issues, which undoubtedly is their own behind buried under a time bomb. Vulnerability box recently received a series of automotive after-market service O2O APP vulnerabilities, exploits the degree of harm is higher, relates to vendors and more, including many industry leaders. Great Tiger raising car: 1 penny to buy tires Popular Tiger Car Network is China's first domestic car class B2C electronic business platform, to provide customers with Online Booking and offline installation of keeping a car. Great Tiger this year 6 month just completed nearly a billion dollars in C round of financing, however, vulnerability box a white hat in their APP discovered on a deadly logic vulnerability by modifying the order request in the amount of 1 penny can buy a tire. 【Vulnerability number: Vulbox-2 0 1 5-0 1 0 2 8 9】 ! Keeping a car hassle-free: 1 penny to buy the year card Keep a car worry-free claims to be the most professional one-stop car maintenance service platform for private car owners to provide 4S other than car maintenance and conservation services, online and offline. But unfortunately, the white hat in its iOS APP client found a vulnerability, modify the order request in the amount parameter to 1 penny of the purchase value 5 0 0 Yuan annual card. 【Vulnerability number: Vulbox-2 0 1 5-0 1 0 2 9 0】 ! The car ants: 1 penny to purchase ant glass treasure The car ants is the first domestic real sense of the car market after the local car-life services O2O platform, the three home designed to provide owners with more comprehensive services. White hat found the car ant APP vulnerability exists, the owner may modify the order request in the amount of the payment can be 1 penny to buy ant glass treasure. 【Vulnerability number: Vulbox-2 0 1 5-0 1 0 2 9 0】 ! Orange cattle car housekeeper: $ 1 indulge in luxury off service Orange cattle car Butler APP free online query violation, process violation fines matters, and has now spread all over the country 3 6 0 city. Vulnerability box found that the use of orange cow APP order, and then modify the order amount, you can free escaped violation fines. 【Vulnerability number: Vulbox-2 0 1 5-0 1 0 2 9 2】 ! Music car Bang: the times read the user account information has not. Music car Bang is China's first professional focusing on the integration of 4S shop after-sale service electricity supplier trading platform, through Internet-based car after-sales mode to avoid the traditional auto repair industry the drawbacks, however, the user account information disclosure risks are also elevated. Vulnerability box a white hat recently submitted a loophole, you can log in all your accounts, view user information. 【Vulnerability number: vulbox-2 0 1 5-0 1 0 3 5 8】 Golden motor: a vulnerability log in to any account Gold Motors is the first domestic car, self-conservation platform, providing related automotive maintenance support and repair parts of the integration of online and offline service platform. However, it did not focus on user's information security, vulnerability box a white hat found the Golden motor APP vulnerability exists, you'll need to know the user's phone number you can log on to their account. 【Vulnerability number: vulbox-2 0 1 5-0 1 0 3 2 4】 Car easy protection: the interface can be traversed, resulting in a large number of user information leaked Car-insurance specializing in Nationwide car after the service platform for millions of owners to provide a full range of car maintenance services. Vulnerability box a white hat in which the APP found a high risk vulnerability, by changing the memberid can traverse all user information, including phone number, QQ number, license plate number, etc. 【Vulnerability number: vulbox-2 0 1 5-0 1 0 3 2 2】 e pension car: you can log in to any account e to keep a car, a brand new automobile maintenance service platform, the Subscriber Line and down a single you can enjoy quick and easy offline home maintenance services. Vulnerability box on a white hat found its APP security issues, can log in to any user account, that user's information may be leaked. 【Vulnerability number: vulbox-2 0 1 5-0 1 0 3 6 3】 Blue Rhino: unlimited amount of brush to take the coupons Blue Rhino is a new information service platform, the traditional logistics and freight company, it will be with the city straight to send information Docking to the user and the driver at both ends, fast and effective to achieve the same city between the distribution. But recently there are more white hats to discover a blue Rhino security problems, the official website Risk Disclosure of tens of thousands of orders, hundreds of thousands of user information; APP registration SMS verification code may be easily guessed, crazy brush coupons have been not a problem. 【Vulnerability number: vulbox-2 0 1 5-0 1 0 1 8 0, the vulbox-2 0 1 5-0 1 0 2 0 5, The vulbox-2 0 1 5-0 1 0 2 7 1】 ! Safety recommendations Vulnerability Box Security Team believes that the car market after the huge profits are attracting more and more capital into the car O2O project such as popping out. But many manufacturers of safety technology with its business risk does not match, only focus on the functional implementation, and the often overlooked security issues. APP client to trust All certificate, over-reliance on HTTPS communication, the request lacking the necessary signatures as well as the service side of the API interface logic vulnerabilities become security issues hit the hardest. Recommended vendors from a business and product development at the beginning of the consideration of security design, focusing on the APP's business logic, such as payment functionality, the payment functionality, the API interface to do security testing.