Security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.
One of the vulnerabilities exists in the promotion codes, the riders.uber.com website did not implement security mechanisms to defeat brute-force attacks, allowing attackers to try all possible combinations of strings until the promotion codes haven’t been discovered.
The researchers also found a $100 ERH (emergency ride home) code that could be applied on top of other promo codes.
“Uber also gives an option to customize promotion codes, and since all the default codes began with the word “uber”, it was possible to drop the time of the brute force considerably allowing us to find more than 1000 valid codes.” states the blog post published by Integrity.
“Initially this issue was not considered valid because the promotions codes are supposed to be public and be given by anyone. This was true until finding an $100 ERH (Emergency Ride Home) code which they (uber-sec team) had no knowledge about. This ERH codes work differently from all others since even if a promotion code is already applied this ones can still be added.”
The researchers also discovered a security issue that resides in Uber app, in particular in the feature that allows Uber customers to split the fare with other clients.
The experts discovered that the response sent by Uber when users request to split the fare contains the unique identifiers (UUIDs) of both the driver and the passenger. The researchers used the UUID to obtain the associated user’s private email address leveraging on requests made to Uber servers via the Help feature implemented in the Uber app.
Another issue found by the research is the possibility to use the Uber Partner/Driver App without being Activated. Normally, even if users create a driver’s account, it remains not activated until Uber completes the verification procedure that includes the exam of the driver documents.
Users can use the mobile app after their account is validated by the company the value of the variable called “isActivated” is set to “true. The experts discovered that attackers can change the value of the variable to allow them the access to the app, once inside the app they could see the driver’s info (name, license plate, and information on the last passenger and their trip) simply by knowing the targeted driver’s UUID. The UUID can be obtained by requesting a car and then cancelling the order – the UUID is included in the request.
How to discover the UUID of a driver?
Simple, request a car and then cancel the order. The UUID is one of the fields in the request.
Among the issued not yet disclosed, there is the possibility to access the full path of a driver’s trip.
The knowledge of the UUID could be also exploited by hackers to impersonate a user to access his list of trips, including path, driver details, cost, and locations.
The group closed the post on their activity by highlighting the importance of bounty programs to have more secure applications. The asked Uber to provide testing accounts to speed up the testing activities.
“This was our first bug bounty program that we really dedicated some time, and we think it had a positive outcome. At the beginning we weren’t too confident with this program because a lot of people had already tested Uber in the private program, but after some time and when we started to find some good vulnerabilities it gave us the drive to continue and see where it could lead us.” added the team.
“As a final note to our article, we want to say that Uber should provide testing accounts to bug hunters. During our tests we did have our accounts being locked due to the nature of our tests and to unlock them, it was a bit of a nightmare”
(Security Affairs – Uber app, hacking)