The High Court in Delhi has asked Delhi government to file a reply on steps taken by Govt to stop Ola & Uber from charging fares arbitrarily during the odd-even phase.
The Aam Admi Party-led Delhi government has said that it will take stern actions against Uber and Ola for causing hardship to commuters and charging exorbitant prices during the ongoing odd-even scheme in the state.
“The government is serious about preventing arbitrariness by app-based taxi services and is ready to take strict action against them, Ola and Uber will have to follow rules. If we receive complaints against the arbitrariness of any app-based taxi service, we will impound their vehicles,” said Gopal Rai, Delhi Transport Minister.
Delhi High Court is likely to hear the matter on April 25.
Commuters can register complaints against arbitrary fares at 011-42400400!
Price surging by taxi-aggregators has raised alarms in several states. Karnataka government had recently issued notices to aggregators and had even impounded several vehicles in the state. Maharashtra too adopted the similar policy.
On Friday, DNA had reported that Ola cabs were in talks with Uber to sell its stake in the company.
However, Ola later denied any intent of business with their rival Uber in India and initiated a legal action against DNA for reporting a false story.
“We have seen Uber in India reacting to Ola’s growth with moves not seen elsewhere globally – be it front page advertising, dramatic fare cuts and rapid and knee-jerk changes in categories – so one can only surmise that they are worried about their market share declining. We are clearly on the winning horse with Ola and have no doubts about its future, ” said Avnish Bajaj, MD of Nexus Partners, Key investor in Ola Cabs.
Just a few days after the Karnataka Transport department announced policies and actions on price surge by taxi-hailing apps in the state, Maharashtra has taken stern steps in keeping a check on those taxi-hailing apps in their state.
Karnataka government had in last week set a price cap on how much could taxi aggregators charge their customers but, Maharashtra has taken the adoption one step forward and has introduced an induction scheduled for taxis, where only 25 percent of the fleet can be acquired at the time of being granted the licence, 50 percent in three months, 75 percent in six months and 100 percent in a year. This step is likely to keep the Ubers and Olas fleet out of business for few months. A proposal in this matter has been sent to the government.
‘The fare will be decided on the cost of the vehicle and the engine capacity. The transport department will enjoy powers to cancel licences for non-compliance,” a Maharashtra minister told BS.
The aggregators debate that fare rates automatically increase, when the taxi demand is higher than drivers around you and prices are surging to ensure reliability and availability for those who agree to pay a bit more.
With more and more states adopting measures against price surging, it will benefit consumers heavily but hurt the aggregators.
The new guidelines for taxi-hailing aggregation services have been laid out by the transport department of Karnataka.
As per the new Motor Vehicle Act that has been amended with effect from April 2, rates are fixed by the government for all aggregators licensed to operate. As per new norms, the maximum fare will be capped at Rs 19.50 per km for AC cabs and Rs 14.50 per km for non-AC cabs. At any point in time, the cab services cannot charge users more than the maximum prescribed fare.
“Taxis will not be allowed to charge more during peak hours. But the operators can certainly lower tariff to gain a competitive edge,” HG Kumar, Additional Commissioner, State Transport Authority told ToI.
The new rule is amended under Sub-section 1 of Section 212 of the Motor Vehicles Act, 1988.
The government has also mandated certain rules only for taxi aggregators in state:
– GPS/GPRS systems are a must. The rules spell out technical specifications of the devices to be used.
– Control rooms are a must. A system through which a panic button pressed by the passenger can alert police is mandatory.
– Refresher courses for drivers on gender sensitization, safe driving and etiquettes should be documented for a year.
Ola today announced the appointment of Infosys’ Rajiv Bansal as its Chief Financial Officer. Rajiv has spent over 16 years at Infosys, where he was the CFO and recently transitioned to being an Advisor to the CEO.
Rajiv will be part of Ola’s core leadership team and is expected join the company in January, 2016. Mitesh Shah, who is currently the CFO, will lead Strategic Finance Initiatives as part of Rajiv’s team, going forward, said Ola in a statement.
“His(Rajiv’s) experience of being at the helm of finance for one of India’s most respected companies will help us in adopting best practices and in realising our mission of building mobility for a billion people. I’m looking forward to working with Rajiv as we scale Ola to newer heights in the time to come,” said Bhavish Aggarwal, Co-founder and CEO, Ola
After investing in several companies like Snapdeal, Xiaomi, Paytm etc Ratan Tata has now invested in Olacabs.
Mr. Tata’s inclination towards transportation as a segment with the way he steered Tata Motors under his leadership at the group level is well known. Also, the Tatas at a group level and Mr. Ratan Tata himself, have built businesses that have focused on immense social impact and value creation.
With Ola’s vision to impact mobility and transportation in India by creating a valuable citizen utility and a robust entrepreneurial ecosystem, we look forward to seeking inspiration and learning from this association. It is an honour as well as a huge endorsement for us and reflects Ola’s commitment towards the future of mobility in India. [Bhavish]
According to the new draft of Road Transport and Safety Bill 2015, the mobile app-based taxi hailing services like Uber and Ola will be no more defined as mere ‘aggregators’.
The latest draft of Road Safety Bill defines these services as a “digital intermediary or marketplace for a passenger to connect with a driver having the requisite qualifications under the laws in India.”
The draft Bill further explains that an “on demand transportation technology aggregator” must be compliant with all applicable regulations prescribed under and pursuant to the Information Technology Act, 2000, including the intermediary guidelines. The service aggregator shall not own or lease any vehicles, employ any drivers or represent themselves as a taxi service unless also registered as a taxi operator under the applicable law.
These services are presently not under any regulations as technically they are not taxi operators but merely aggregators. Laying down a clear definition, these mobile apps will come under the law when it is passed.
Ola has confirmed its Series E round of funding of $400mn led by DST Global with participation from GIC, Falcon Edge Capital and existing investors SoftBank Group, Tiger Global, Steadview Capital and Accel Partners US.
Out of $400mn raised, $100mn is earmarked towards fueling expansion & growth of TaxiForSure.
Ola has expanded to 100 cities in the current year from 10 cities a year ago; this growth has been further accelerated with the acquisition of TaxiForSure, India’s second largest cab aggregator in March 2015.
Ola recently launched OlaCafé, which is currently available in beta across 4 cities.
Alleging that the companies are not complying with a ban order imposed by the Delhi government, Department of Electronics and Information Technology (DEITY) is seeking views from the Transport Ministry for a country wide ban on the apps.
All app-based cab services were banned in Delhi after an Uber cab driver was accused of raping a female passenger. The companies stopped the services for a while but resumed its operations soon after. In March, Transport Department of Delhi Government has warned Uber and Ola over resuming their taxi services in the state capital citing that the companies are not abiding by the government order, the Delhi government has requested DEITY to block the apps. But DEITY found it technically impossible to do so for one particular state, and therefore, it sought “concurrence” of the transport ministry for pan-India execution.
Stressing that the execution could only happen at the national level, a senior IT Ministry official said, “We have sought views of the Transport Ministry and are waiting for their reply.”
Ola is the new controversy maker and while the company is facing issues w.r.t license in NCR, Karnataka State Transport Department officials conducted a raid against Ola cabs at Sadarahalli Toll on Airport Road, Devanahalli on Friday and seized 100 taxis belonging to Ola which have been operating illegally in the city.
“..these cabs were found running with state taxi permits and charging exorbitant fares against the rules. The cabs didn’t have digital meters and some were found charging 10X the government laid norms
[Joint Commissioner of Transport Department, Narendra Holkar]
The Transport Department of Delhi Government has warned Uber and Ola over resuming their taxi services in the state capital. The official letter sent by the Transport Department cites that their application for radio-taxi licenses will not be processed if they continue with their operations.
In December, the government had ordered all unregistered web-based taxi companies to cease their services after an Uber driver raped a lady passenger in New Delhi. Soon after the government order, Uber stopped the services but resumed it in January after applying for a radio-taxi license, while Ola continued the operations.
Ola has soft-launched a food delivery service, Olacafe) which enables customers to order food using the Ola app (on the lines of Uber’s food delivery service).
The service is available in some parts of Bangalore, Hyderabad, Delhi and Mumbai. You can either pay via Ola money or Ola cash (details here).
Ola’s App Loading Screen; Free Riding
So apparently, Ola has lifted their load screen image from a Flickr account.
WTF! @Olacabs is using my photo for their iPhone app *without* my permission.
Speed is one thing. And control is another. Choose wisely.
While you are raising your next $500mn, the recent example of Ola hacks and this image copyright issue is a clear warning sign that you aren’t in control.
So before you speed further (with more feature launches), go take a ride, [The olacafe launch was first reported here]
[Editorial notes: Geek-turned-Ethical-hacker Shubham hacks into Ola wallet and shares it all (after the issue has been fixed). ]
A few weeks ago I was working on some weekend fun project… I exactly don’t remember what that was. I was monitoring my phone traffic from a proxy server. While doing that I saw Ola API calls going from my phone (since I was booking a cab).
For those who don’t know about Ola, Ola Cabs is the biggest cab provider in India and also biggest competitor of Uber (again in India). For more information you can visit the Wikipedia page of Ola Cabs.
After seeing those flashing binaries data going from my system I forgot my weekend project and started tweaking and reverse engineering Ola API’s which eventually resulted in breaking their money transaction system and bam I was able to recharge my Ola wallet with any amount. For a long time I was thinking about publishing this work on the web but I have been way too busy all this time. It’s innate in humans — We all love a story. And if you’re looking for a cool tech story, this one could be for you.
Chapter 0 : Something is not right
I was working on a small side project in which I was monitoring my phone traffic. For this purpose I used MITM Proxy, which is a very light console based proxy server. As I was booking my cab I saw Ola API calls. The structuring of the API calls attracted my attention. Something was amiss here. These calls were simple HTTP requests without any OAuth token mechanism or any other encryption to guard APIs. One can easily replicate these calls from a console or by using Chrome. There are some other clients one can use like PostMan or Advance Rest Client.
Chapter 1: Digging the tunnel
After successfully tracking and fetching cabs I was very happy because (no offence to ola) their app sucks, as in really really bad. First of all it crashes a lot. Secondly, I don’t like the UX. I think better things can be done. Just take the example of Uber. Their app works so smoothly and booking a cab is a piece of cake. Thirdly it is very difficult to book a cab. It’s a blink and you miss situation where in microseconds a cab vanishes.
This got me thinking and I created a one tap app where once I’ve set my preferences, a thread can run in the background and ensure a one-tap cab booking. For one thing, it made my life easier while accomplishing the task of fully automating the booking process. A few people might find this offensive but this is the fun in weekend projects; creating small utilities so that you can get even more lazy :p
Then I went greedy (lazier). I thought what if I can book a cab for free?!! That will be one mighty bad-ass thing to do. So I started to trace the recharge API calls.
I did one simple recharge on my phone to get an idea of what was going on. Long story short, one recharge process in three simple steps :- Step One : Generate an order id which will be used for reference in future, Step Two : Make a few payment gateway calls to complete the transaction Step Three : One more API call to Ola’s server to acknowledge the transaction, to complete the process.
<p”>After completing the transaction I started connecting the dots to understand their system. Believe me it was one hell of a easy maths. Simply put, it was a very bad design because all the transaction APIs implemented by Ola were using simple HTTP protocol and sending data in plain white text. This was next ‘woohoo’ moment, because this motivated me to find more loopholes and believe me Ola’s system has a lot of them.
Chapter 2: Fire in the hole
After watching, tracing and connecting all the API calls, my console was ready to fire the bomb. Even if I not get to book cab for free but still I can create one app which can book a cab for me in just one single click. To be honest, I was kind of nervous. Let’s accept it, it was easier than I’d ever imagined and if this went right, well you can understand.
Since college days I’ve been making such things. Partly because I enjoyed the thrill of the process more than the end result. It wasn’t exactly like “The Social Network” but something similar.
Coming back to the topic, I had my arsenal ready for attack. With a prayer on my lips, I fired my first shot i.e. generating an order id. It went perfect. I took aim again and below is what a cleaned request looks like, with response from their server.
Now I have one order id that is ready for transaction, which I can use to acknowledge completion. Lock and load!
In few seconds I received a message on my phone, confirming the recharge and I was like YESSSSSS……..its done!!! I just cannot express what it was like. I just fooled one of the biggest startups with millions in funding.
Hearing me shout in excitement, my sleeping flatmate DAERTY came running to the scene, “kya hua be kyu itna chilla raha h, chain se sone bhi nahi deta” (why are you shouting, you never let me sleep peacefully). I said dude watch this. I sent the last request again, pressed enter which culminated with my phone message tone ringing.
Note that I didn’t even generate a new order, it was the same order id. If you still didn’t get the joke — it means that they were not even checking for order id, which simply means you can use the same order id to do as many recharges with whatever amount you want, obviously not like 100’s so they get alerted (from what I’m seeing we can safely assume they are not going to). It was hilariously traumatizing (lol).
To summarize this, I think the problem really was in their architecture. I mean for the love of God, you should make order id unique, isn’t it? Ola was not even tracking order ids. Maybe money is getting to their heads. Maybe in the process of putting more taxis on the road they lost track of their technology. Maybe that is why their customer support always sucks. And maybe that’s why they forgot something as basic as this when it comes to library management. Maybe that’s why the Startup of the Year has such a huge security vulnerability.
Below is another screenshot of my android phone showing the successful transactions.
Final chapter: The Aftermath
I was brought up a law-abiding citizen. Ethics are embedded (so I hack ethically). So me and my friend decided to write a mail to Ola to tell/caution them. We definitely did not have any intention of getting them in trouble, even if they seem to have trouble providing customer service.
Where better to shake them out of their slumber than ask their dreadful customer support (that’s right, we are gentle folks). So we wrote them a mail asking in essence — do you guys have any bug bounty program?”. If you’re enough of a techie, you will know how Google deals with bugs. What we got in response was a very ugly and rude response from their them. In retrospect I’m surprised that I was surprised…
Even after such a hurtful response from them, we replied them back saying that it’s fine if they aren’t interested in improving their system. Two days later, we received a mail from their customer support HEAD saying we will get back to you on this (maybe they weren’t that bad). Now what, now we wait…..
1,2,3….7 days i.e. one week was over and there was no response, maybe they were busy talking to cabbies. At that time I was working with Kuliza Technologies, Bangalore. I talked to my senior management people and told them about this. They were very supportive and professional about this episode. They helped me report this issue to the management of Ola and even sent a mail to the CEO with all the details and findings of that hack (not boasting but it was a hack)
A few days later, one of their security people replied. It went something like this
Thanks for reporting this issue to us, we will fix this and will keep you updated.
Almost a month and a half month later, I’m still waiting for a reply or an acknowledgement (and I naively thought it was just customer support that sucks at Ola). Maybe this callous attitude has trickled down from the top. The management’s attitude has definitely permeated the entire organization it seems. I was under the impression that elephants can’t dance. It seems that calves loaded on food can’t either.
They’re spending their millions to hire drivers who don’t even have manners to talk to customers or to buy huge offices. I’m sure that 8 out of 10 ola customers will complain about their service quality. Even sarkari babus are showing up on time these days. Ola’s cabs are still highly unpredictable. Their government office mentality is visible from this example; last month my I forgot my Sony earphones in a cab in Delhi. Close to 20 calls, and emails later I got a mail from their support saying that my earphones were in their Gurgaon office and I can collect them from there only(which is almost 40–60 km away).
Few of you may find this post as a result of frustration. Yes it definitely is. As a customer I’m tired of their shitty support. As a programmer and developer it is frustrating to see their design and architecture. It is mockery of our dependency.
In short the issues with Ola are :-
Weak design of DB and architecture, and glaringly poor implementation on app.For example order-id is supposed to be unique but you can use same order-id to recharge your wallet again and again.
It seems that checksum, card id etc isn’t crosschecked with MobiKwik. You can use any gibberish values in place of checksum & card-id, and the recharge will still be done successfully.
Lack of implementation of security protocols like HTTPS or any token validation. While making money transactions, some token validation mechanism should have been implemented. At least proper server side validations should be present.
Breaching Ola was one of the easiest kind of hacks possible, and a part of me is disagreeing with the part that describes it as a hack.
P.S. : Since they haven’t responded well and this issue has been fixed in current version. I am posting it!
Meru cabs has raised $50mn from India Value Fund Advisors. The company is also closing another $ 100 million , which is expected to be infused by the end of this month through a new set of investors.
Meru has a fleet of about 12000 cabs and the company reported its first profit in 2013-14, of Rs 3.6 crore. In 2012-13, it had a loss of Rs 31.1 crore [via].
Competition Ola which acquired TaxiForSure recently is reportedly raising $500mn.