Home Who let the birds out?
Post
Cancel

Who let the birds out?

Andreas Wienes on Sep 20, 20222022-09-20T17:25:26+02:00
Updated Nov 27, 20222022-11-27T16:55:13+01:00 2 min read

Some General Information about Bird E-Scooters

Bird e-scooters are becoming more and more popular in bigger cities. And despite the fact that they are laying around like pieces of ugly looking electronic trash, they are sometimes actually quite useful.

bird_twitter broken_voi_scooter

And they are easy to get. You just need to open the nice looking mobile app, find a bird nearby and then finally book it. That’s it. - Enjoy your ride!

Just in case you can’t find the desired bird for some reason you are also able to use a nice little feature to let the bird chirp. Making some kind of noice and blinking lights to help you with a little orientation, when it’s dark outside.

Let’s have some fun

Analyzing the network traffic between the Bird mobile app and the Bird servers shows two interesting API endpoints that are used to help you getting your next ride.

https://api-bird.prod.birdapp.com/bird/nearby and https://api-bird.prod.birdapp.com/bird/chirp.

The first one is used to get a list of all birds within a specific radius and the second one is used to let a Bird chirp.

Sounds great, eh?

What would happen if someone would try to let more than one bird scooter chirp?

Well, there is nothing stopping you from trying to do this.

Here is a short demonstration (a click will open YouTube)

Imagine someone would add different locations, where a lot of Birds are located, into this proof of concept. Imagine someone would set the radius to a very high number and put all of this into an infite loop… Ooops.

I’m pretty sure the same is possible with other providers such as Tier, but I didn’t have the time to test it.

Learnings

Limits everywhere

bird_twitter

The Bird API should have different types of limits implemented. The allowed value for the radius should be limited. The number of Birds you receive from the API is limited to 250. But do you really need information about 250 Bird E-Scooter nearby? This value should also be limited. And the number of requests we are able to send to /bird/chirp within a reasonable amount of time should also be limited.

Make it easy to get in contact

The people at Bird don’t use /.well-known/security.txt so I’ve tried to contact them via Twitter and e-mail. This is what I got in response:

bird_twitter bird_my_email bird_email_answer

So please as a company use the security.txt or start a bug bounty program to make reporting security findings easier.

Thanks for reading and thanks a lot to @Zyberum for the inspiration for this little fnord experiment.

HACKING
infosec
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

CSD 2021 Snake Jazzzzz Write-Up

Recap - Hacker Things CTF 2022