2024-08-06 –, Florentine E
Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.
- Stage 0
- Introduction
- Stage 1
- About Brazilian arcade and cashless system
- NFC Card
- Website to charge money and view data
- Stage 2
- Company who provide the system
- More than 2300 installations across 70 countries
- Api endpoints
- Stage 3
- IDOR and Broken Authentication
- A lot of user and cards data
- Not just arcades. Roller coaster Vegas. Clients around the world
- Stage 4
- Mobile app for all the customers
- Keys and endpoints in plain text (DEMO)
- Endpoint to recharge credits
- Stage 5
- Account Takeover (DEMO)
- Race Condition (DEMO)
- Stage 6
- Online Party Booking
- A lot of confidential information
- Script to get data (DEMO)
- Stage 7: Booking Management portal
- Broken Access Control
- List and modify all the bookings
- Stage 8: Side servers
- Public zendesk with data
- Go-karting in U.S.
- Amusement park in Spain
- Chile, Ecuador, Phoenix
- Stage 9: NFC
- Brazilian card
- Leak security
- Android NFC
- Stage 10
- A lot of customers in the U.S.
- Conclusions
- QA
Ignacio Navarro, an Ethical Hacker and Security Researcher from Cordoba, Argentina. With around 6 years in the cybersecurity game, he's currently working as an Application Security. Their interests include code analysis, web application security, and cloud security.
Speaker at Hackers2Hackers, Security Fest, BSides, Diana Initiative, Hacktivity Budapest, 8.8, Ekoparty.
@Ignavarro1