Jakarta - The higher the tree, the strong winds that blow it anyway. This maxim seems to fit addressed to the Go-Jek. Yes, the digital lifestyle offender does not know where this online taxi service. To the extent, the popularity is skyrocketing makes Go-Jek so make people curious to check it out.
Well, the background is what makes a programmer named Yohanes Nugroho who was living in Chiang Mai, Thailand, participated curious to find out more about the secrets of the kitchen Go-Jek.
"Because it can not try to direct the Go-Jek here (I was in Chiang Mai, Thailand) and hear the popularity of applications Gojek, I was curious and did the name of reverse engineering of the application gojek. From reverse engineering we can read what code Go-Jek. Here I found the oddities for not wearing a session, "said John when corresponding with detikINET.
Explained John, reverse engineering is a process for unpacking materials and technologies that exist on an object. People can reverse the engineer various kinds of things, such as recipes or electronic objects, or program. Of course, in this context, what is meant is a software reverse engineering, the process of how we can know the algorithm program (or source code if possible).
There are many things that can be done by reverse engineering. In the case of viruses, we can analyze the virus and make anti precise. In the case of the protection program, we will be able to dismantle the protection such as serial number and expiration date.
"In the case of loss of source code, we can restore most of the code is lost. If we want to create a program that can read the format of other programs, we also need to reverse the engineer if the format is not publicly disclosed," explained the former administrator of the ITB.
Feelings Bimbang
Back about holes in applications Go-Jek, from the results of reverse engineering it does, it turns out John found a gap that could be exploited criminals on the application Go-Jek.
This is not just any hole, but it was related security and user privacy Go-Jek driver. Include the following as reported by John in August 2015 then:
1. Anyone can search for customer ID by telephone or name or email.
2. Anyone can change any gojek driver pulse.
3. Anyone can see gojek driver personal data, including photos, addresses, and even the mother's name.
4. Anyone can obtain the user name, email, phone number other users.
5. Anyone can change the mobile phone number and the name of another user, without the need to know the password.
6. Anyone can view the order history of others.
These findings alone already reported by John to Go-Jek in August 2015, and the company led by the Makariem Nadiem already responded and asked for time to repair.
"I found this bug around August 2015. The Go-Jek quite responsive in responding to my report, although there are many who are not improved nearly 5 months later. I was also given a $ 1 million loan, which I gave to my brother, but a few months later Go-Jek system error, and the balance be zero, "said John.
This is an example where John saw this application of the kicks, want to know how many things done by the mobile app and how many were handled server. When starting to see that this application does not use session management to indicate that the request is a user who already logged in, then he began to suspect that the data will be leaked.
"And it is true: personal data leaked a lot. It turns out that one of my colleagues had never found it but have not followed up because the Go-Jek still make their system more stable, and it turns out this bug has been there long enough," he continued.
John true also briefly hesitated: whether to quickly tell the public, that someone will steal your personal data (especially the tens of thousands of drivers Go-Jek which complete data easily accessible). Or wait, because compassion is a new startup. If hastily announced, but not yet repaired, anyone can create scripts to ravage entire data user and the driver. At first glance it was imagined in the head of John about the cases of data breaches in infidelity website Ashley Madison who makes such a commotion.
"I was actually going to feel uncomfortable assume the name, phone number, my home address, destination address can be accessed gojek I ride anyone on the Internet. But since I do not live in Indonesia, so I do not really feel it,".
"Finally I decided to wait. One reason I was: at that time a lot of people feel positive with the presence of Go-Jek, and driver and passenger greatly benefited (because of the referral system), unlike the last few months in which there is a lot of drama, "said John, who before posting reports about bugs in Go-Jek also first notify the plan administrator Go-Jek and approval.
John forgot exactly when, eventually the system Go-Jek reported are replaced, the URL that there are many who moved to / v2 /. OAuth is also added. After this point, John had not yet checked again whether there are new bugs. He assumes Go-Jek has hired examiner system to ensure that this time all is fine.
"Apparently when I try it again before posting this article, most of the bugs that there is not yet fixed. Token OAuth is stored, but is not used in all subsequent requests. Bugs like this also show the importance of security in your startup: Suppose there are people who idle / evil / envy, your startup can be folded by conceding like this, "he said.
Finally, John stresses that what he did not seek the stage for the event. Because, months earlier, he had actually been informed about the security hole to Go-Jek. But after more than five months later, unfortunately not all holes covered.
So with diungkapnya to the public about the issue of this bug through a blog that had previously been known by Go-Jek, may further encourage the online taxi service to immediately improve its services. "Because it looks like if it is not published, the improvement will be slow done, and new features are preferred," he concluded.
Go-Jek own party has tried to be confirmed by the team detikINET. But the message that was sent to the CEO of Go-Jek Nadiem Makarim has not received a response to this story was written.(ash / fyk)
 |
| Ilustration (detikcom) |
"Because it can not try to direct the Go-Jek here (I was in Chiang Mai, Thailand) and hear the popularity of applications Gojek, I was curious and did the name of reverse engineering of the application gojek. From reverse engineering we can read what code Go-Jek. Here I found the oddities for not wearing a session, "said John when corresponding with detikINET.
Explained John, reverse engineering is a process for unpacking materials and technologies that exist on an object. People can reverse the engineer various kinds of things, such as recipes or electronic objects, or program. Of course, in this context, what is meant is a software reverse engineering, the process of how we can know the algorithm program (or source code if possible).
There are many things that can be done by reverse engineering. In the case of viruses, we can analyze the virus and make anti precise. In the case of the protection program, we will be able to dismantle the protection such as serial number and expiration date.
"In the case of loss of source code, we can restore most of the code is lost. If we want to create a program that can read the format of other programs, we also need to reverse the engineer if the format is not publicly disclosed," explained the former administrator of the ITB.
Feelings Bimbang
Back about holes in applications Go-Jek, from the results of reverse engineering it does, it turns out John found a gap that could be exploited criminals on the application Go-Jek.
This is not just any hole, but it was related security and user privacy Go-Jek driver. Include the following as reported by John in August 2015 then:
1. Anyone can search for customer ID by telephone or name or email.
2. Anyone can change any gojek driver pulse.
3. Anyone can see gojek driver personal data, including photos, addresses, and even the mother's name.
4. Anyone can obtain the user name, email, phone number other users.
5. Anyone can change the mobile phone number and the name of another user, without the need to know the password.
6. Anyone can view the order history of others.
These findings alone already reported by John to Go-Jek in August 2015, and the company led by the Makariem Nadiem already responded and asked for time to repair.
"I found this bug around August 2015. The Go-Jek quite responsive in responding to my report, although there are many who are not improved nearly 5 months later. I was also given a $ 1 million loan, which I gave to my brother, but a few months later Go-Jek system error, and the balance be zero, "said John.
This is an example where John saw this application of the kicks, want to know how many things done by the mobile app and how many were handled server. When starting to see that this application does not use session management to indicate that the request is a user who already logged in, then he began to suspect that the data will be leaked.
"And it is true: personal data leaked a lot. It turns out that one of my colleagues had never found it but have not followed up because the Go-Jek still make their system more stable, and it turns out this bug has been there long enough," he continued.
John true also briefly hesitated: whether to quickly tell the public, that someone will steal your personal data (especially the tens of thousands of drivers Go-Jek which complete data easily accessible). Or wait, because compassion is a new startup. If hastily announced, but not yet repaired, anyone can create scripts to ravage entire data user and the driver. At first glance it was imagined in the head of John about the cases of data breaches in infidelity website Ashley Madison who makes such a commotion.
"I was actually going to feel uncomfortable assume the name, phone number, my home address, destination address can be accessed gojek I ride anyone on the Internet. But since I do not live in Indonesia, so I do not really feel it,".
"Finally I decided to wait. One reason I was: at that time a lot of people feel positive with the presence of Go-Jek, and driver and passenger greatly benefited (because of the referral system), unlike the last few months in which there is a lot of drama, "said John, who before posting reports about bugs in Go-Jek also first notify the plan administrator Go-Jek and approval.
John forgot exactly when, eventually the system Go-Jek reported are replaced, the URL that there are many who moved to / v2 /. OAuth is also added. After this point, John had not yet checked again whether there are new bugs. He assumes Go-Jek has hired examiner system to ensure that this time all is fine.
"Apparently when I try it again before posting this article, most of the bugs that there is not yet fixed. Token OAuth is stored, but is not used in all subsequent requests. Bugs like this also show the importance of security in your startup: Suppose there are people who idle / evil / envy, your startup can be folded by conceding like this, "he said.
Finally, John stresses that what he did not seek the stage for the event. Because, months earlier, he had actually been informed about the security hole to Go-Jek. But after more than five months later, unfortunately not all holes covered.
So with diungkapnya to the public about the issue of this bug through a blog that had previously been known by Go-Jek, may further encourage the online taxi service to immediately improve its services. "Because it looks like if it is not published, the improvement will be slow done, and new features are preferred," he concluded.
Go-Jek own party has tried to be confirmed by the team detikINET. But the message that was sent to the CEO of Go-Jek Nadiem Makarim has not received a response to this story was written.(ash / fyk)
No comments:
Post a Comment