• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Little Uber Hacks Snowball into Bigger Threats

June 27, 2016 By Marc Laliberte

Integrity, a UK and Portugal based security consulting firm, recently released some interesting research after participating in Uber’s bug bounty program. For those unfamiliar, bug bounties are a way for organizations to incentivize security researchers to responsibly disclose vulnerabilities in their products. By promising a bounty, organizations hope that researchers will work with them to resolve security issues instead of selling them on the underground to the highest bidder.

Last week Integrity shared their experience with Uber’s bug bounty program. They describe their process for identifying bugs in the different areas of Uber’s API and mobile apps, and responsibly disclosed several vulnerabilities, which Uber has since resolved. I highly recommend you read the article, but I’ll highlight some of their more notable findings below.

Uber sometimes offers promotional codes for discounted rides either to new users or as a part of emergency ride home programs with other ride share services. In their testing, Integrity discovered that Uber had no protection against “brute forcing” these promo codes in their application. Integrity quickly found over a thousand valid discount codes, but Uber’s security team initially turned the research away because they considered the promo codes public. It wasn’t until Integrity found a $100 code, intended for a Washington-based carpool community’s emergency ride home program, that Uber bugged and resolved the brute force issue.

While intercepting traffic from the Uber cell phone app during an actual ride, Integrity also found that they could enumerate Uber User IDs by sending phone numbers to an Uber API designed to allow splitting ride fare bills. Paired with another bug, these User IDs were easily leveraged to return the personal email address of the associated Uber user.

Most frighteningly, Integrity found they could use a rider’s User ID (obtained from the previously mentioned bug) to find details about that user’s trips. The details included the date of the trip, the cost of the trip, and a map of the entire trip route. Putting these bugs together, armed only with a rider’s phone number, Integrity was able to ultimately see a scary level of detail on every Uber ride ever taken by that user.

Luckily for Uber users everywhere, these vulnerabilities were responsibly disclosed to Uber and subsequently fixed. I think Integrity’s article shows an important example where small individual security issues can snowball together and become a large threat. Yes, enumerating User IDs for a web application is a potential privacy issue on its own, but it becomes critical when those User IDs can be converted into even more sensitive information about the users.

Uber did an excellent job working with the researchers at Integrity to quickly resolve these issues. I would urge anyone involved with application development to keep an open rapport with external security researchers. Internal QA will never catch everything, meaning external researchers are an important tool in protecting your product from the bad guys. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use