A Swedish security enthusiast was able to take advantage of some weaknesses in the Voi scooter mobile app to get $100,000 worth of free rides.
Voi is a Scandinavian micro-mobility startup that offers electric scooter riding services in partnership with cities and local communities. The company has raised over $80 million over three investment rounds since its launch in August 2018.
Free rides for a long time
Voi boasts having at least three million users riders in 34 cities in 10 countries including Sweden, France, Germany, Spain, Portugal, Denmark, and Norway. One year after its launch, Voi reached five 10 million rides.
David Fant one Sunday evening decided to take a look at the Voi mobile app and see what issues he could find. He reverse-engineering it and three hours later created e-scooter riding credit worth $100,000.
Voi credit is worth EUR 1 in local currency for each unit. Users can get it for free when they sign up for the service and ride a Voi e-scooter.
In a write-up at the end of September, Fant described the issues and recommended some steps that would make it more difficult to take advantage of the weaknesses.
The issues he discovered are at API-level and can help add promo codes for free rides from different Voi partners that distribute them, like Revolut, Swedish Railroads, or Bumble dating app.
According to Fant, the API does not abide by the same security measures implemented in Voi app for the sign-up process and skips certain verifications that would prevent, or at least make it harder to commit fraud.
Creating an account with the service through the app requires a valid email address that is verified, adding payment information. A field for providing a promo code for free credit is also available.
While the app verifies these details, the API is not that strict about them, the researcher says. Creating an account is easy but getting the promo codes from Voi partners is more difficult.
Fant was able to generate a seemingly unlimited amount of promo codes, though, through websites of Voi partners. By monitoring where these codes are offered, one could do the same and benefit from free Voi rides for a long period.
The researcher took down his post explaining how “acquired” the free credit because the issues are still present and he wants to give Voi a chance to fix things up. However, this does not mean that the post disappeared from the Internet. With minimum effort, anyone can find a copy of it.
BleepingComputer reached out to Voi for a comment but a reply was not received at the moment of writing. Fant told us that he may re-publish his findings once Voi solves the issues.