Home Security Critical Vulnerability In Uber App Could Allow Account Takeovers

Critical Vulnerability In Uber App Could Allow Account Takeovers

by ethhack

A researcher discovered a vulnerability in Uber API app that could allow an adversary to take over users’ accounts. Exploiting the bug could allow an attacker to track user’s locations and even book rides via the victim’s account.

Vulnerability Discovered In Uber App

Reportedly, the AppSecure founder Anand Prakash discovered a serious flaw in Uber app. As reported by Forbes, the vulnerability existed in the Uber API that could allow complete account takeovers.

Specifically, the exploit required sending malicious API requests to get a user’s unique identifier (UUID). Such API requests could include the target account’s contact number or email address. Upon receiving the UUID, the attacker could then replay the request through this UUID to gain access to the accounts’ private data. As Prakash told Forbes,

Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address.

The researcher, through this procedure, successfully compromised a test account. He has demonstrated the exploit in the following video.

This vulnerability potentially affected all Uber accounts of the customers, drivers, as well as Uber Eats accounts.

Uber Patched The Flaw

Upon finding the bug, the researcher informed Uber about the matter through HackerOne. He reported the matter on April 19, 2019. Following his report, Uber worked out on a fix. After a week, Uber resolved the matter by April 26, 2019.

Apart from releasing a patch, Uber also rewarded Prakash for this bug with a bounty of $6500.

Let us know your thoughts in the comments.

The following two tabs change content below.
Avatar
Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Source link

Related Articles

Leave a Comment

deneme bonusu veren sitelerbahis casinomakrobetceltabetpinbahispolobetpolobet girişpinbahis girişmakrobet girişpulibet girişmobilbahis girişkolaybet giriş