How To Get Infinite Subway Card Numbers In 2019

The following post is my first ever blog I wrote back in 2019. Now that Subway has patched the exploit (or at least made it harder to perform) I am releasing the blog post.

Greetings Hacker Friends!

Today I found a critical vulnerability in subway infrastructure and here I will tell you how I exploited it.

Web Side

So basically when it comes to attacking gift-cards, you need to fuzz the closed API and that is exactly what I did. Over the years I had come into possession of numerous subway cards and as such I had a good sample of what I should expect the server to return.

What we are trying to achieve is a viable method of telling a real card number and a fake one – without the pin! If we manage to pull this off then we can effectively leverage another exploit (Can't disclose this one sadly) to steal subway cards! After a while of fuzzing subway’s backends I cracked the system.

In the above image I logged into my subway account and proceeded to add a card to my account. The number and pin of course being random numbers (11111111111111111111… and 1111111109 or something like that), below is what the server spat back to me.

We take note of the ERROR CODE, that being 135. 

Now I put a legitimate card number but an illegitimate pin into the request.

From the above list of deletable cookies, the only two that actually are important to the server are the .ASPXAUTH and the .AspNet.cookies cookies.

Request Automation

We could do this from the command line via a simple curl -i -s -k -X $'POST'  request but instead we are going to use Python to automate the process! Code can be found here on my Github.

That's all folks! I hope you enjoyed!