Skip to main content

Uber Vulnerabilities Leak Rider Details And Journey History





A Portuguese security company has found eight security vulnerabilities in Uber’s cab-hailing platform, some of which could allow hackers to identify individual drivers and download passenger journey history.
Uber opened its public bug bounty programme in March, and during a three-week test, Portugal-based penetration tester Integrity found that its researchers were also able to get free ride vouchers using brute force attacks.



Uber security

Uber


The researchers even found a voucher that Uber didn’t know exists: a free ride up to $100 for emergencies.
Bug bounty programmes are becoming increasingly popular in the software industry, and provide companies with the most authentic way of testing the security of their systems. Just this week Google revealed that it had given out almost £400,000 to researchers who found flaws in its Android operating system.

Integrity said that its first pass over Uber only yielded previously reported flaws, but then decided to double back and implement new processes to hunt for bugs.

“In order to implement some kind of methodology, we went back to the Uber bug bounty program to check again [its] scope,” said the researchers.
By this, the researchers meant all of Uber’s software that can be accessed, 

such as rider apps for iOS and Android, driver apps for iOS and Android, and the various Uber websites such as Uber.com and Ubermovement.com.
The researchers then DNS brute-forced all of the Uber subdomains that they could find. This method rewarded Integrity with free promo codes for rides, by brute forcing riders.uber.com.

“Uber has a feature that allows the usage of promotion codes. This codes can be given by other users or companies. The application riders.uber.com had this feature in the payment page, so after adding a new promotion code we grabbed the request and realised that the application didn’t had any kind of protection against brute-force attacks, which helped us to find many different promotion codes,” they explained.

“Uber also gives an option to customize promotion codes, and since all the default codes began with the word “uber”, it was possible to drop the time of the brute force considerably allowing us to find more than 1000 valid codes.
01_web-1024x482

“Initially this issue was not considered valid because the promotions codes are supposed to be public and be given by anyone.

This was true until finding an $100 ERH (Emergency Ride Home) code which they (uber-sec team) had no knowledge about. This ERH codes work differently from all others since even if a promotion code is already applied this ones can still be added.”


Help page

Next, the researchers discovered that user email addresses could be gleaned by emailing Uber through the help page request form on the app. Another bug was found when the researchers realised they could access other rider phone numbers when a rider decides to split a fare, a feature that needs another rider’s phone number to work. Unfortunately, this bug had already been discovered.

In total, Integrity found eight new vulnerabilities: the brute force attack to get free promo codes, a way to view a driver’s ride history by bay of their unique driver ID, a way to view the driver’s email address from their driver’s ID, and view trip information from other users. Four other vulnerabilities were found but they are currently not disclosed by Uber yet.

“This was our first bug bounty program that we really dedicated some time, and we think it had a positive outcome,” said Integrity.
“For the people who are starting the bug bounty programs, our advice is: never give up or be afraid if it is a big company, just have fun and try to learn as much as possible along the way and in time the profits will come.
“With this being said, we think that Uber has one of the best bug bounty programs, with great payouts,” it added.

Comments

Popular posts from this blog

US Demands Immediate End To South Sudan Fighting

The United States demanded an immediate end to renewed fighting in the capital of South Sudan on Sunday, ordering all non-essential personnel out of the troubled country. "The United States strongly condemns the latest outbreak of fighting in Juba today between forces aligned with President Salva Kiir Mayardit and those aligned with First Vice President Riek Machar Teny, including reports we have that civilian sites may have been attacked," State Department spokesman John Kirby said in a statement.

Canada Police Thwart Potential Attack,Suspect Shot Dead

Canadian police shot dead an alleged Islamic State sympathizer who was about to activate an explosive device in Ontario late on Wednesday, media reports said as police confirmed thwarting a “potential terror threat”. There was no immediate confirmation from Canada’s federal police that anyone had been shot, with a statement saying only that a suspect had been identified and that they had taken “action” after receiving “credible information” about a potential attack. “Earlier today, the RCMP received credible information of a potential terrorist threat. A suspect was identified and the proper course of action has been taken to ensure that there is no danger to the public’s safety,” the Royal Canadian Mounted Police (RCMP) said in a statement. They did not say where the incident took place. Media reports said the suspect was a 24-year-old man who had been arrested in 2015 for expressing support for the Islamic State group in postings on social media. He had been released in February ...

Lafarge Africa Posts N30bn Drop In Half-Year Profit

Lafarge Africa Plc, a leading cement and building solutions provider, yesterday announced a loss of N30.1 billion for the half year ended June 30, 2016, compared with a profit after tax of N27.3billion in the corresponding period of 2014.