Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[NoRid]

For some reason I lost my super-secure password on the Zero NextGen app. I am still logged in, so I have access to the bike. Different than on any other login I know, there is no "reset password" or "I forgot..." option in that app.

I searched the forum and found that some of you noticed this before, but I did not find a solution for that.
What are my options? In the app I can log out (which I am currently afraid of) or I can click on "Deactivate".
I was thinking if the "Deactivate" option would allow me to re-register my bike with a different password (that I then hopefully remember). But will this work? And can I use the same E-Mail address then again as a user name or do I need to use a different one?

Thx for your help!
-NoRid

[Hans2183]

If you can configure a proxy or another way of sniffing your own network you can check if the official app also has to submit the password as plain text to the API. You can check the nextgen API topic on here for more information on the URLS to look for.

Should look like this

Code: [Select]

https://mongol.brono.com/mongol/api.php?commandname=get_units&format=json&user=yourusername&pass=yourpass

[NoRid]

Thanks for the hint Hans2183.
Unfortunately this does not work because this is a https connection (also used by the app). The secure channel is established between the server and the app, so with the sniffer I only see the encrypted traffic and cannot read user name and password. I verified this with a capture. Normally a good thing, but not in this case  .

Best
- NoRid

[Hans2183]

Oh then they have a better way to connect to the api then we have.

[didierm]

Is your phone rooted ?
An strace or tcpdump may provide some info.

[NoRid]

Oh then they have a better way to connect to the api then we have.

I was checking with your zeroNG app. Also here I don't see that a user name and password is sent in clear text. This is all end-to-end encryption when you send https commands. In a browser plugin you could capture the traffic before it is encrypted, but as soon as it goes out of the device it is encrypted. Or am I missing something?

Is your phone rooted ?
An strace or tcpdump may provide some info.

I am using an iPhone, so no option to root. I was running tcpdump on my router.

[Hans2183]

In the zero ng app the password is in the URL query parameters so that is visible on the requests. You might even see it in logs of routers and so.

In the official app it's possible that they have another way to create a session with actually encrypted requests. Didn't check that in detail.

Do you have the password in the zerong app? Then you can for sure find it. I can even make you an update with a "reveal password" option added. PM me if you want that.

[NoRid]

Thanks for the offer, Hans, but I do not have the right password in the ZeroNG app. I tested the TCP log with a dummy password.
I still think that your app is more secure than you think. Even when you put the password in the URL query, the URL is a https connection and the secure channel is established before the http request is sent to the server. So the password leaves the device only in the secure channel and not unencrypted.

[NoRid]

Heureka, I was able to resolve my issue!

While being connected to the bike via bluetooth, I hit the Deregister button in the account menu. I got a message that I am NOW deregistered and then I registered again. This worked with the same E-Mail address I used before and I was able to set a new password. Now I can connect again, also with the zeroNG app!
It seems that deregister and register again is the way to change a password.

(edit: fixed typo:  not -> NOW)

[Hans2183]

Awesome, that resolves a ticket I created https://bitbucket.org/cappelleh/zeronextgen/issues/22/zero-check-if-you-can-reset-your-password

[enaef]

I got a message that I am not deregistered and then I registered again.

... that I am not deregistered ...

Was it really that way, or was it rather 'that I am not registered' or 'that I am deregistered'?

Thanks for clarification.

[NoRid]

this should read ...that I am NOW registered.... For some reason I keep making this typo.
Sorry for the confusion. I will fix this in the post.

[Shadow]

Please feel free to edit previous posts for technical accuracy. Nice information!

[flattetyre]

Glad that you figured it out, but seriously, someone who's sniffing traffic but can't mitm himself with a proxy and his own cert on the phone? What?

[Crissa]

Sniffing traffic is easier and more automated

-Crissa