OVO is the leading digital payments, rewards and financial services platform in Indonesia, used on 115 million devices. Acquired by Singaporean super app Grab in 2021, the platform offers services ranging from e-wallet payments to peer-to-peer lending, investments (stocks, commodities, mutual funds, etc.) and insurance products, all in the same app.
The Indonesian unicorn embarked on the Bug Bounty adventure in 2020, with a local self-hosted program. Eager to reach an international community of researchers, they reached out to YesWeHack in 2022 to launch a private Bug Bounty program. Today, OVO wishes to take its collaboration with the community a step further by launching OVO Public Bug Bounty program! Let’s take a look at their program and its specificity!
🕵️ Scope overview
OVO’s main product is a mobile application (Android/iOS) with many features related to wallet management and online payments. Although the main target is their app, the scope of the program also includes most of OVO’s external-facing web assets. Whether you’re into mobile app testing or web recon, or both, you shall find an interesting asset to dig.
Regarding its infrastructures, OVO recently migrated from on-premise/multi-cloud environment to GCP (Google Cloud Platform). Making sure this new environment is hardened and secured is one of their top objectives with this public bug bounty program.
It’s also good to note that their team works with a short development cycle, which allows them to add new features to their applications (web or mobile) on a weekly basis, and as a hunter you might find brand-new stuff to test and new scenarios to exploit from one day to the next.
Language-wise, for most of the online services, OVO uses Golang (BE), React JS (FE), Python (BE) and also PHP.
📜 Scenario expectations
OVO being a fintech company, the security team wants to put the focus on specific security scenarios that represent direct threats to their customers’ data or online payment services.
Any vulnerability allowing an external entity to obtain unauthorized access to PII under their web application, mobile application or any assets, is likely to be awarded a nice bounty.
To be more specific, OVO operating a payment solution, they are very keen on identifying attack scenarios that can demonstrate a serious impact on its core-business features, in particular:
- Push to Pay Payment
- QR Payment
- Top Up
- Transfer Out
- Purchase some digital goods
- Linkage with other partners
- OVO Proteksi
- OVO Invest
📢 A word from the OVO security team
“We care about the safety of our customer data and like security, just like you! OVO’s (app)security team is run by a small group of dedicated people from multiple countries (Indonesia, India, and France). We’re all excited to see what hunters can come up with. Please don’t pwn everything, we need to keep our jobs.”
Hunters, now it’s up to you!
Enjoy the hunt👇
Founded in 2015, YesWeHack is a global Bug Bounty and VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 45,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.