Reverse engineering Lyft Bikes for fun (and profit?)

48
14
ibigio
7 hours ago
ilanbigio.com

ibigio
·
7 hours ago
·
[ - ]

Howdy.

Back in 2019 I reverse engineered the lyft bikes api to unlock them from my bed. It's one of my favorite stories, and after telling it dozens of times I finally decided to write it up in its full technical glory.

I used to love learning about security through blog posts/writeups, so I tried to include as much detail as possible. Let me know if you like this style!

spydum
·
3 hours ago
·
[ - ]

Believe it or not, straight to jail! Just kidding, great writeup. I know it's not groundbreaking, but does surprise me how many products don't bother with rate limiting controls.

ibigio
·
1 hour ago
·
[ - ]

i actually think a quick-fix was setting a rate limit. which sadly thwarted my brute-forcing, but did not actually fix the race condition itself. though it's a very fair "kid, stop it" response until they fixed the race condition.

·
2 hours ago
·
[ - ]

caughtinthought
·
14 minutes ago
·
[ - ]

What if you get up so late in the morning that all of the bikes are definitely, most certainly, long, long gone?

pentamassiv
·
1 hour ago
·
[ - ]

Fun read!

Now that some bikes have electronic shifting, you can attack the bike itself. I wrote two blog post about how to downgrade the Shimano Di2 shifters and do a replay attack to remotely shift it. You can find them here:

https://grell.dev/blog/di2_downgrade https://grell.dev/blog/di2_attack

MarleTangible
·
3 hours ago
·
[ - ]

You'd generally expect a company like Lyft to pin its certificates, so it's notable that they don't. Any ideas as to why?

ale42
·
3 hours ago
·
[ - ]

If it's intentional, the only thing I can think of is access from corporate networks where SSL-intercepting proxies are absolutely common.

vimda
·
2 hours ago
·
[ - ]

Pinning certs has generally been discouraged for a while afaik. It's pretty trivial to bypass, at least on Android where you can side load easy, and it's a pain in the ass to manage with a huge potential to just take down your app if you mess it up

codetheweb
·
1 hour ago
·
[ - ]

this is cool! funnily enough I just did something very similar last weekend: https://github.com/codetheweb/bay-wheels-py

fainpul
·
2 hours ago
·
[ - ]

Another "bike hack" if you're into that (from 2004 and in German):

https://www.ccc.de/hackabike/

cptskippy
·
2 hours ago
·
[ - ]

> Geofence bypass: As far as I understand, there's no easy way to enforce a geofence server-side other than timing, consistency, etc. You sort of just have to trust whatever the phone tells you.

There's no fool proof method but you can make it very hard and impractical.

Both Apple and Google offer attestation mechanisms to confirm the integrity of the App and Device Environment that it's running on. This ensures that the API requests are coming from an attested device.

To mitigate the MITM attack you can use TLS Certificate pinning on sensitive API requests.

You could have the server side API provide a session specific signing token that the App uses to sign payloads attached to API calls.

knowitnone3
·
1 hour ago
·
[ - ]

you've unlocked hundreds of bikes under your account. That would mean you've reserved the bike and therefore have to pay for damage/loss of property?

ibigio
·
1 hour ago
·
[ - ]

if i would have actually unlocked all bikes then yes, they would have been under my account and i could have been in deep trouble. fortunately, (I made sure) that did not happen :)

sampton
·
3 hours ago
·
[ - ]

You never know with corporations. Consequences range from "federal pound-in-the-ass prison" or "here is $500".