Integrity, a UK and Portugal based security consulting firm, recently released some interesting research after participating in Uber’s bug bounty program. For those unfamiliar, bug bounties are a way for organizations to incentivize security researchers to responsibly disclose vulnerabilities in their products. By promising a bounty, organizations hope that researchers will work with them to resolve security issues instead of selling them on the underground to the highest bidder.
Last week Integrity shared their experience with Uber’s bug bounty program. They describe their process for identifying bugs in the different areas of Uber’s API and mobile apps, and responsibly disclosed several vulnerabilities, which Uber has since resolved. I highly recommend you read the article, but I’ll highlight some of their more notable findings below.
Uber sometimes offers promotional codes for discounted rides either to new users or as a part of emergency ride home programs with other ride share services. In their testing, Integrity discovered that Uber had no protection against “brute forcing” these promo codes in their application. Integrity quickly found over a thousand valid discount codes, but Uber’s security team initially turned the research away because they considered the promo codes public. It wasn’t until Integrity found a $100 code, intended for a Washington-based carpool community’s emergency ride home program, that Uber bugged and resolved the brute force issue.
While intercepting traffic from the Uber cell phone app during an actual ride, Integrity also found that they could enumerate Uber User IDs by sending phone numbers to an Uber API designed to allow splitting ride fare bills. Paired with another bug, these User IDs were easily leveraged to return the personal email address of the associated Uber user.
Most frighteningly, Integrity found they could use a rider’s User ID (obtained from the previously mentioned bug) to find details about that user’s trips. The details included the date of the trip, the cost of the trip, and a map of the entire trip route. Putting these bugs together, armed only with a rider’s phone number, Integrity was able to ultimately see a scary level of detail on every Uber ride ever taken by that user.
Luckily for Uber users everywhere, these vulnerabilities were responsibly disclosed to Uber and subsequently fixed. I think Integrity’s article shows an important example where small individual security issues can snowball together and become a large threat. Yes, enumerating User IDs for a web application is a potential privacy issue on its own, but it becomes critical when those User IDs can be converted into even more sensitive information about the users.
Uber did an excellent job working with the researchers at Integrity to quickly resolve these issues. I would urge anyone involved with application development to keep an open rapport with external security researchers. Internal QA will never catch everything, meaning external researchers are an important tool in protecting your product from the bad guys. –Marc Laliberte