Friday, June 24, 2016
A trio of Portuguese hackers set their sights on Uber, and they found several vulnerabilidades that have already netted them $18k in rewards from Uber - including one that allowed see any trip from any user.
Fábio Pires, Filipe Reis and Vítor Oliveira are penetration testers at Integrity, so they're used to pushing online service to their breaking point. With Uber having a bug bounty program that rewards such experiments (unlike other companies that prefer to sue anyone finding bugs) and being a high profile service, they decided it to be their next target... and it didn't take them long to start finding vulnerabilities.
After a few flaws that Uber was already aware of, the team finally found something they considered interesting: the possibility to bruteforce promo codes. At first Uber didn't consider this to be a security issue, as promo codes are intended to be public... until the team found out $100 "ERH" (Emergency Return Home) codes, that some companies provide their employees. Uber then reconsidered... before users started scavenging $100 codes and using them at will.
But things didn't stop there, and lots more followed; like the possibility to find Uber users' email addresses; and, worse still, a way to see the details of any trip of any user, with information about the driver, the car, and the route taken. In all, besides all the duplicate vulnerabilities, these Portuguese "white hat" hackers have reported 8 vulnerabilities, having already received $18k for 4 of them.
Looks like there's no shortage of flaws waiting to be found out there... and skillful people might even end up being able to making a living out of bug bounty programs. :)