You should never let frontend decide for you
24.10.2017: Taxify reached me on Facebook saying that the problem has been sent to the dev team and they are working on fixing it.
Later Edit: Just found out that the token is active for about 6 hours. Queried one of the latest trips that’ve been shared with me. Still enough time to be a concern.
On Saturday afternoon, after a long night out with my girlfriend and friends and with a massive headache I decided to rest a bit. My girlfriend left my place to go home and she decided to share her Taxify location with me. I opened it on my Mac instead of phone and started taking a look around.
Inspecting how Taxify guys write that code and if I can find something. Pretty basic things. Btw guys, you still have some //TODOs in your code. Fix that :).
Well, what got me interested was the driver location polling. While the trip is active and the location changed since the last poll the user has the same location as the driver. But what happens if the trip ended?
Backend wise, I really don’t know. But in the frontend, in their main javascript file a function named destroy() is called. Let’s see it:
destroy: function () {
driverLocationPollingService.stop();
mapPlugin.clearUserMarker();
$("#content").empty();
}Well, the interesting fact is the driverLocationPollingService. Let’s dive in the stop() function:
stop: function () {
log.log(TAG, "stop");
hash = null;
driveLocationData = null;
clearInterval(interval);
interval = null;
}hash is the hash you receive when the location is shared with someone else.The url looks something like https://****.taxify.eu/?s=hash.driveLocationData is an object containing the location of the driver. But what if they only handle this in the frontend. What if …
Well, they do. Hehe. I was able to track a driver through Bucharest for 1h until The Great Suspender suspended the tab and I was too lazy to redo the work. If you just prevent the destroy() call you’ll be able to track it.
I don’t say that this is a major security flaw, but it is. I can triangulate where the driver is and possibly find his home address (I’m sure they track that too). The point here is that you should never let the frontend do the job backend is supposed to. After the ride is finished under no circumstances I should be able to track the driver.
This is the response after querying the endpoint with the hash I have. It gives me the last location the driver has been seen. It didn’t changed for a while so I suppose this is the driver’s home address. The hash should be invalid after a while, or I shouldn’t be able to access it.
I reached Taxify but they didn’t answer. I specified that his might be a concern related to their drivers but still no answer.
