Dropbike’s service seems fairly straightforward — find a bike using your smartphone, scan the code to unlock and you’re ready to ride. But Tristan Rice, a recent UBC graduate and software engineer, noticed a number of issues with the app’s functionality.
“The app is pretty terrible,” said Rice. “It’s got a bunch of weird issues […] you unlock the bike and then the entire app goes unresponsive until 15 minutes after you re-manually lock the bike.”
In a blog post, he writes about how the app “eats a huge amount of battery and constantly polls and sends your location to the server.”
Rice decided to design his own app to access Dropbike’s service. He discovered not only how to easily hack into the app for a free ride, but that he could access the personal information of every student who used the service.
“Emails, phone number[s], the IP address you connected from most recently, your full name, […] basic information like whether or not you’re in Vancouver,” said Rice. “The messages could’ve contained anything. Someone could’ve typed in their credit card details.”
As for Dropbike, he noted flaws in the company’s app that would have compromised users’ data.
“I’m not [a security engineer], but there are a lot of good practices that pretty much [every programmer] knows,” he said.
Rice reported the issue to the company the same day that he found something wrong. “If I was able to do this, pretty sure any malicious attacker could have as well with much more disastrous results,” he wrote in his blog.
A day after Santa Ono appeared in a photo with the product, UBC Associate VP Campus and Community Planning Michael White issued a statement affirming UBC’s commitment to data security and privacy of those affected, distancing the university from Dropbike’s data protocol.
“As Dropbike is a third-party business licensed to operate on campus, UBC has no involvement in the creation and maintenance of the Dropbike platform,” he said, noting that Dropbike’s partnership with UBC is under a one-year pilot licence subject to appropriate data security measures.
Afraj Gill, one of Dropbike’s founders, said that the issue was resolved within 36 minutes of being notified of the vulnerability.
“We prioritize absolutely nothing above the safety and digital security and privacy of our community of riders,” he wrote in a statement to The Ubyssey. He also confirmed that no credit card or financial information was exposed at any point and that payment data is stored offsite with Stripe, a payment processing company.
Overall, Rice recommends that the company hire someone to look into security issues and that they offer a formal channel for reporting bugs.
“There are a couple of things you can do to protect yourself,” he said. “Don’t ever reuse passwords between different services.
“How you’re supposed to trust companies […], I’m not really sure. I’m sort of trying to figure that out myself.”