User Discovers Bug In UrbanClap That Lets Customers Order Unlimited Services For Free

UrbanClap has become the latest startup to have its tech compromised by a part-time hacker.

An UrbanClap user has claimed he was able to book unlimited services — for free — on the home services startup. Udit Agarwal, a software engineer with Amazon, says he was able to exploit a vulnerability in UrbanClap’s payment gateway to bypass its checks. By simply modifying a API call, he was able to convince UrbanClap’s servers he’d paid when he had not.

After booking a service, UrbanClap guides its users to a “proceed to pay” button, which adds the transaction to their system. The API call generates a hash, and also sends the payment values — the paid amount, the discount, and the coupon discount. Agarwral changed the values of the discount, paid amount and coupon discount in the call. In the original call, the paid amount was 2299. Agarwal replaced it with a discount of 2298 and changed the paid amount to Rs. 1.

urban clap free services

He then passed this information on to PayU, the payments provider, which promptly accepted the new values. Agarwal was able to book a Spa appointment, priced at Rs. 2299, for a mere Rs. 1.

urban clap free services bug

 

“No server side calculations or checks were in place. Whatever the amount was sent in the request, they were used directly for generating payment gateway hash without validating them for their correctness,” says Agarwal. 

Agarwal could’ve well obtained a lifetime’s supply of massages and plumbing services thanks to his discovery, but he chose to report the bug to Urban Clap’s CEO. The bug was acknowledged and fixed, and Agarwal received 5000 UrbanClap credits for his efforts.

It’s never easy for a hyperfunded startup to be caught with a basic vulnerability — UrbanClap announced a Rs. 120 crore series C fundraise just yesterday — but much bigger companies have had their tech compromised by industrious hackers. Earlier this year, Indian ethical hacker Anand Prakash had discovered a way to book Uber rides for free, and had been rewarded with Rs. 3 lakh by the company. Prakash had also managed to hack Twitter, and found a way to tweet from any account he chose.

As such, UrbanClap seems to be in august company, but Agarwal says he’s shocked by their negligence. “Everyone out there just wants to build a startup but no one thinks about the security parameters they should put in their tech stack,” he says.