Uber upgrade account type to enterprise without verify.

> Published On September 10, 2016

> By severus


After 2 bugs rewarded, I found another bug on business.uber.com again.

User can upgrade to any valid type which has different feature

I have upgraded my account to premium but I see other feature of enterprise in https://bizblog.uber.com/enterprise-ready-enterprise-approved/. I wonder I could upgrade to enterprise type. When uprading to premium, I look into request carefully https://business.uber.com/server/organizations/[id]/update_tier and see interesting parameter changeTierData. Business account has 3 type standard, premium and enterprise. If I changed type to enterprise, could it work ? Because only company which’s approved by Uber has enterprise solution. I tried and it worked. My account was enterprise.

Timeline

  • 8/17/2016: Report was submitted via Hackerone
  • 8/19/2016: Uber requested more informative
  • 8/24/2016: Report was triaged
  • 8/31/2016: Report was resolved
  • 9/10/2016: Bounty was rewarded

Credit: HoangDoan for non-technical advise.

  • Motivation: some guys call me a loser when I have no bachelor’s degree

Tags: bug bounty security uber

Comments:

comments powered by Disqus

© 2018 - Security Researchers Team. All rights reserved
Built using Jekyll