My first bounty with Uber

> Published On August 04, 2016

> By severus


I joined Hackerone for a year. After many Duplicate and Informative bugs, I have the first bounty with Uber.

First bug: Get employees infomation of organization

I visited business.uber.com and saw a POST request with userUuid.

I wonder if I changed it for other useruuid, would it work ?

Wait, it worked with other user’s infomation included fullname, organization’s id and payment name of organization. But it’s so difficult to attack with userUuid parameter. I looked into response body, I found that only email’s unique and used it instead. The problem is that only email is integrated with some organization will be return, if not it returned with empty json.

With this attack, attacker can analyze who is admin, full name of employees, payment name for organization, user referrence as Receipt Forwarding.

I reported Uber via Hackerone. They responsed quickly and asked some infomation.

Timeline:

  • 7/15/2016: Report Uber via Hackerone.
  • 7/16/2016: Uber asked for more infomation
  • 7/20/2016: Triaged report
  • 7/29/2016: Resolved report
  • 8/4/2016: Rewarded bounty

Second bug: Get other organization trips via organization id

After I submitted first bug, I tried with other json endpoints. Most of them returned 403 status. But server/organizations/organization_uuid/trips2 returned with empty json. uh huh ? So magic…. Because it returned json not html. I tried to explain why.

In my mind, two cases appear:

  • They checked uuid and compared with current uuid then if they’re same, it returns results or not….
  • They only checked valid uuid, not check with current uuid, and then returns results.

If I enter non valid uuid, internal backend error is returned. And because my both victim and main organizations didnot have any trip records. I decided to submit this bug.

Timeline:

  • 7/15/2016: Report Uber via Hackerone.
  • 7/16/2016: Uber asked for more infomation.
  • 7/28/2016: Triaged report.
  • 7/29/2016: Resolved report.
  • 8/4/2016: Rewarded bounty.

Bug’s triage and Infomative.

I have a triaged bug and infomative bug ( which is pulic disclose)…. Waiting for new reply…

Credit: HoangDoan for non-technical advise.

  • Motivation: some guys call me a loser when I have no bachelor’s degree

Tags: bug bounty security

Comments:

comments powered by Disqus

© 2018 - Security Researchers Team. All rights reserved
Built using Jekyll