There's this huge financial company in my country that's basically backed by the government. They're running everything — transport, banks, ATMs, payment terminals — total monopoly.You can't even ride a bus without having their app installed and buying a ticket through it. What really caught my attention though are their kiosk terminals. I'm almost certain they're weak as hell.I'm thinking if I can figure out the endpoint these kiosks are sending payment requests to, I could intercept or replay them. Since the payment amount is determined by the actual cash inserted into the terminal, there’s probably a way to spoof that request. If that’s possible, I could essentially trigger a kind of "infinite money" bug by mimicking the right calls.The kiosk does not have a card reader or anything, its a simple touchscreen I am thinking running android cause it is using a SIM card to connect to internet. You simply select a service you want to pay (steam, bills, etc) then feed money and pay.
