A researcher discovered a vulnerability in Uber API app that could allow an adversary to take over users’ accounts. Exploiting the bug could allow an attacker to track user’s locations and even book rides via the victim’s account.
Vulnerability Discovered In Uber App
Reportedly, the AppSecure founder Anand Prakash discovered a serious flaw in Uber app. As reported by Forbes, the vulnerability existed in the Uber API that could allow complete account takeovers.
Specifically, the exploit required sending malicious API requests to get a user’s unique identifier (UUID). Such API requests could include the target account’s contact number or email address. Upon receiving the UUID, the attacker could then replay the request through this UUID to gain access to the accounts’ private data. As Prakash told Forbes,
Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address.
The researcher, through this procedure, successfully compromised a test account. He has demonstrated the exploit in the following video.
This vulnerability potentially affected all Uber accounts of the customers, drivers, as well as Uber Eats accounts.
Uber Patched The Flaw
Upon finding the bug, the researcher informed Uber about the matter through HackerOne. He reported the matter on April 19, 2019. Following his report, Uber worked out on a fix. After a week, Uber resolved the matter by April 26, 2019.
Apart from releasing a patch, Uber also rewarded Prakash for this bug with a bounty of $6500.
Let us know your thoughts in the comments.