UUID: NASDAQ-listed ride-hailing giant Uber has recently fixed a hacking bug found by Indian cybersecurity researcher Anand Prakash and paid him a bounty of $6,500. Prakash told news reporters that the bug allowed hackers to log into anyone’s Uber account. After receiving permission from Uber to disclose the bug under the responsible disclosure policy, Prakash explained that the bug was an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account, including those of partners and Uber Eats users.
The bug supplied user UUID in the API request and use the leaked token in the response to hijack accounts. Prakash explained that his team was able to enumerate other Uber users’ UUID by supplying their phone number or email address in another API request. APIs send information from Uber to app developers, typically to ensure that other apps, like Google Maps, work with Uber.
Image Source: knowledge.safe.com
The cybersecurity researcher also told us that this was because authorization was missing on an endpoint, which resulted in access token leak of Uber mobile apps of other users by just supplying the user id. The solution was authorizing the request, he added. The bug was reported to Uber on April 19, following which it was triaged on April 25 and fixed on April 26. Working at App Secure, Prakash requested for public disclosure in June and the bug report was then disclosed by Uber on September 9. A spokesperson for Uber told news reporters, that the bug was quickly fixed through Uber’s bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform. In the day and age of data security and concerns data security and concern costing billions to tech giants such as Facebook, the security breach instances haven’t stopped.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.