Last year, a friend was planning a trip to an amusement park for her bday. Site design is often a good heuristic for security and the design wasn't inspiring confidence—so I went poking.

A fun story of finding a payment bypass in PayU India and the subsequent disclosure arc:

https://twitter.com/thel3l/status/1848618552326296021

Some background: @PayUindia is one of the largest payment gateways, used by over 500k+ merchants online in India.

When you pay for things online, merchants will rely on PayU to say "Yes, we got da money!"—and trust that yes, they really did.

This becomes important later.

Last month, a number sent me malware via an APK titled 'Union Bank Aadhar Update' on Whatsapp.

These typically just lamely forward all SMSes received to steal OTPs, but this one turned out to be a significantly more sophisticated op.

Some notes from taking down a scam network: I used jadx to decompile the APK, and it was immediately apparent that this was not the run of the mill op that just forwarded SMSes.

Here's a side by side of another such SMS stealing scam I received in July and this on the right:

Apple released a hearing aids feature for the AirPods Pro a while ago. I bought a pair for grandma, but then realized that the feature was geoblocked in India

So we at @_lagrangepoint decided to unblock it. It ended up involving a leaky microwave and building a Faraday cage: At first, we thought it would be easy—spoof IP location with a VPN, maybe rewrite some requests in a proxy, how hard could it be?

We reversed the Rabbit R1 🐇 and got it to run on our phones!

This gives us future OTA updates, access to new features without a device + works perfectly without root/system perms!

(Blog post below) Here's how we did it (article by @MishaalRahman):

androidauthority.com/rabbit-r1-besp…