The Security Posture of Barter Mobile APP by Flutterwave

Flutterwave Inc provides the easiest and most reliable payments solution for businesses anywhere in the world. With over 10k install on Barter by Flutterwave, and other application products like Rave POS, Access Bank Zambia, and Rave Express.

This article is about how secure (apparently) Flutterwave app is and motivated by this part of their T&C as seen here

Before a session token was generated I needed to login using this endpoint

POST http:example.com/api/v1/barter/login

with my “phone number” as my Identifier on the body of the request. after verifying my identity as a user then I was prompted to input my “password” as a returning user on the same device I logout from. At this point, I need to note it down that the password policy was poor, this means that my password was something like this “zooo”. If security check is not put in place then the login endpoint is most vulnerable to Brute Force attack.

I noticed 3 keys and their corresponding key values that was part of the request header which were

CustomerReference: ML_ANDROID_deviceId1593**********9052542
UserId: 0300A873A5BB85D537586**********1BE8E72D6ADC227E336436ED863A3AE4E
Hash: 9AE783AC54BE7D4D28C86**********C21E005251A6AD57FC6E5B4CD9D4D095F

The UserId: seems same for any user on the app or maybe because i used same device for different accounts used for the test.

When I made a request for the first time it went and I got a 200 ok response (a valid request). But on making the second request I got:

{
“Status”: “fail”,
“Message”: “Duplicate Reference ID ML_ANDROID_deviceId159371**********52542”,
“Reference”: null
}

I had to make a new request and changed just the CustomerReference and making the call again, then I got:

{
“Status”: “fail”,
“Message”: “Invalid Hash supplied. Please check and try again”,
“Reference”: null
}

That was when i knew that the CustomerReference and the Hash must be corresponding values before a successful request call must be made. For every call made, a new CustomerReference and the Hash will be generated and this is what i noticed on every request call i made on different endpoint of the application.

I must note that, if you are a new user or login from a new or different device, the app must collect this data, maybe for analytical purpose or security reasons (my guess):

{“Device”:{“DeviceId”:”6******7–3474–4**1-bc73-b11*****774e”,”DeviceName”:”samsung SM-N960F”,”DeviceToken”:”cBGA****Wf8:APA91bFzgsfj4Ui**********Kt4fiJyKgGlVgv8x7TjEl5zUup3N0TBA**********h8R7sZdkqUG3xMnhDCxfnMi7yjXpnON2fi47QcsnEqPgVYq2DWlO6rXgED4VXEwkcNx0cN1Gk”,”Os”:”android”,”OsVersion”:”29",”SerialNumber”:”f*****41–1d9c-4565-a44e-2**********3"},”Identifier”:”+2347012345678",”IsSocial”:false,”Password”:”zooo”}

I will make a video of this and drop more findings if necessary, so stay tune and don’t forget to subscribe to my YouTube channel, leave a comment and tell me what you think.