What Is Bounceshare?
Bounce (formerly known as Metro Bikes) is India’s first smart mobility solution, with a mission of making daily commute stress-free, time-saving, reliable and convenient.
What Is The Flaw?
One of their Internal API can log you into any Bounceshare account bypassing your phone number into the request, and in response, it returns with the Access Token, and RiderId.
Access Token can be used to access your Bounceshare account.
Why Is It Big?
Bounceshare has a user base of approximately 2 million users.
These 2 million Users are at risk of getting their information leaked on the web.
Hackers and Telemarketers can mine the data of Bounceshare by automating a script using a phone number dump found online.
The hackers can also access your Bounceshare account and your sensitive information, such as Driving License, Selfie, Phone number, Email, and if you have linked Paytm, then the attacker can also see your balance, and can also book ride’s from your account.
How Do I Reproduce The Flaw?
–I have created an automated script for demonstrating the flaw, It will auto-generate the Access Token for your phone number and log you into your Bounceshare Account, and show your account information, including Images of your Driving License, Your Selfie Photo, Name, And Email.
For our test, we are going to use disposable phone numbers from receive-sms-online.info
Your data will be displayed below.....