The Daalder e-wallet

By Puck Meerburg

(or, caring about security at least a little bit)

Daalder is a new method of payment, that recently started promoting inside our school (and others nearby), due to an agreement with the caterer at our school. They had some very interesting (and somewhat suspicious) points:

  • Daalder is an e-wallet, and not a bank. They say you cannot lose ‘daalders’ (their ‘euro’, which is 1:1 to the euro), compared to cash and bitcoins (you cannot really ‘lose’ bitcoins either, just lose the key for them, but nitpicking aside…).
  • They aren’t a bank, so they can avoid the huge transaction costs for paying via debit, so both sides profit.
  • I never heard of them! The posters in school were the first time I ever heard of them, which raises some suspicion, of course.

The start

So, I downloaded their app and installed it. After a quick registration (e-mail address + password, no verification), I had an account, with 0 euros/daalders on it. I was still at school, so couldn’t do more analysis.

Back at home, I copied the .apk from my phone onto my desktop, and ran it through dex2jar, to get a more jvm-y file for jd-gui. I then disassembled it, and started poking around, and what I found was surprising!

The (loyalty) cards

Turns out, Daalder is just a frontend for a loyalty card service, so building an e-wallet system over it adds some additional requirements: Each user has an account, linked to which is a ‘loyalty(/gift)’ card. There is also no way to link multiple loyalty cards to one account, officially. But, of course, there’s some edge cases that can occur, like, what if a loyalty card was made but never linked to the account, due to a network error? (result: web interface doesn’t like it, but the app seems to make another loyalty card to link to it? not 100% sure on this. Probably won’t cause any security vulnerabilities.)
But, I felt like there was another issue somewhere, so I started mapping the APIs and everything that was a parameter, and suddenly I found it…

The big bug

So, I mapped out the API and found out this is the registration sequence:

  • Create a new account
  • Create a new loyalty card
  • Link the two together

and, because the APIs are probably shared with gift cards too, I thought there should be a way to make loyalty cards that ‘spawn’ money. And indeed, I was right. Secretly hidden in the list of parameters sent to the server for creating a loyalty card is…. <Value>0</Value>. I immediately thought ‘oh… Oh! hmm…’ and set it to 100, or 1 euro.

After running this line, I noticed the call succeded, so I went and continued calling the APIs, linking the loyalty card and account together, and logged into the app. And indeed, the 1 euro was there! So, next thing is to test if I could actually use the money, so I transfered it to my own account, and indeed it worked. I imagined the possibilities of spawning infinite money, then realised the only local places I could use it at was my school (infinite paninis maybe?) and I reported it to Daalder, who very quickly responded and fixed it!

Actually caring about security issues

Daalder has received a €400,000 investment by Keadyn, and is also working together with caterer Van Leeuwen, who manages catering in a few schools in the Netherlands, including the ones in my city. And I can’t stop but wonder how such a giant bug went through the cracks, and noone, not even the developers, found it earlier than me (or decided it wasn’t a bug). And noone, not at Keadyn, not at the catering, noone inbetween, thought it might have had a vulnerability. This might be in part due to not enough programmers, but I presume it’s just because most people don’t care about security.

And especially in systems that require a lot of security for one reason or another (handling money, private information, et cetera) not caring about security, or even blindly trusting that the system is secure, is a doubleplusungood idea. That’s also why banks have strict security guidelines they are audited on.

I think that more companies should have some kind of pentest happening before they can receive investments, even if it is just to avoid deflation of the euro by somehow introducing millions of them into an e-wallet with bad security…