Several Bugs Found in Uber App

Hello everybody,

The security firm called Integrity discovered 14 bugs in the Uber app recently. But they have only published details about six and are waiting on Uber to patch four more.

One of the main issues they discovered had the potential to launch brute-force attacks against Uber’s promo code feature in the panel for Uber drivers.

By trying out countless random combinations, over 1,000 active promo codes have been found by researchers. In addition, $100 ERH (Emergency Ride Home) code that would have added $100 to each driver’s fair earnings has also been found.

Another bug allowed user details to be extracted via the mobile app’s Help section, and in turn get the victim’s email address.

There was also an issue in the way the app behaved when a user asked a second user to split the ride fare. According to the researcher, this allowed them to get the driver and invitee’s UUID and request private information like names, pictures, location, car type, status, rating, phone numbers, and more. Once the researchers got their hands on a user UUID, they were able to get information about that person’s trips, in great detail, enough to plot out a map.

A significant flaw was found in the Uber app’s driver activation process. Uber drivers need to ask the company to activate their account to login and check out their details. But it found that by toggling the “isActivated” parameter to “true,” they could add rogue drivers to the service.

Another issue allowed a driver’s waybill section to be accessed and they were able to get driver’s name, license plate, car model, last ride history, and more. Researchers did not disclose all details about this bug because it also allowed them to list the full path of the driver’s previous trip.

Source: Akati

Comments are closed.