Penetration testers brute force Uber for bug bounty programme, and also find hidden $100 free ride voucher
A Portuguese security company has found eight security vulnerabilities in Uber’s cab-hailing platform, some of which could allow hackers to identify individual drivers and download passenger journey history.
Uber opened its public bug bounty programme in March, and during a three-week test, Portugal-based penetration tester Integrity found that its researchers were also able to get free ride vouchers using brute force attacks.
The researchers even found a voucher that Uber didn’t know exists: a free ride up to $100 for emergencies.
Bug bounty programmes are becoming increasingly popular in the software industry, and provide companies with the most authentic way of testing the security of their systems. Just this week Google revealed that it had given out almost £400,000 to researchers who found flaws in its Android operating system.
Integrity said that its first pass over Uber only yielded previously reported flaws, but then decided to double back and implement new processes to hunt for bugs.
“In order to implement some kind of methodology, we went back to the Uber bug bounty program to check again [its] scope,” said the researchers.
By this, the researchers meant all of Uber’s software that can be accessed, such as rider apps for iOS and Android, driver apps for iOS and Android, and the various Uber websites such as Uber.com and Ubermovement.com.
The researchers then DNS brute-forced all of the Uber subdomains that they could find. This method rewarded Integrity with free promo codes for rides, by brute forcing riders.uber.com.
“Uber has a feature that allows the usage of promotion codes. This codes can be given by other users or companies. The application riders.uber.com had this feature in the payment page, so after adding a new promotion code we grabbed the request and realised that the application didn’t had any kind of protection against brute-force attacks, which helped us to find many different promotion codes,” they explained.
“Uber also gives an option to customize promotion codes, and since all the default codes began with the word “uber”, it was possible to drop the time of the brute force considerably allowing us to find more than 1000 valid codes.
“Initially this issue was not considered valid because the promotions codes are supposed to be public and be given by anyone.
This was true until finding an $100 ERH (Emergency Ride Home) code which they (uber-sec team) had no knowledge about. This ERH codes work differently from all others since even if a promotion code is already applied this ones can still be added.”
Next, the researchers discovered that user email addresses could be gleaned by emailing Uber through the help page request form on the app. Another bug was found when the researchers realised they could access other rider phone numbers when a rider decides to split a fare, a feature that needs another rider’s phone number to work. Unfortunately, this bug had already been discovered.
In total, Integrity found eight new vulnerabilities: the brute force attack to get free promo codes, a way to view a driver’s ride history by bay of their unique driver ID, a way to view the driver’s email address from their driver’s ID, and view trip information from other users. Four other vulnerabilities were found but they are currently not disclosed by Uber yet.
“This was our first bug bounty program that we really dedicated some time, and we think it had a positive outcome,” said Integrity.
“For the people who are starting the bug bounty programs, our advice is: never give up or be afraid if it is a big company, just have fun and try to learn as much as possible along the way and in time the profits will come.
“With this being said, we think that Uber has one of the best bug bounty programs, with great payouts,” it added.