
Uber Hacking: How we found out who you are, where you are and where you went - r0t1
https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you-are-where-you-are-and-where-you-went/
======
supersan
0×03 – Enumerating UUIDs with phone numbers. The bug that was marked as
duplicate but I think really is at the heart of it all. Without this you won't
get the UUIDs which are needed for all the other exploits. Just imagining that
you can get anyone's email using just a phone number is crazy.

This alone should be worth thousands of dollars in the wrong hands because
just imagine someone running a telephone book against this exploit - it's like
having a peek into their users table and seeing all the registered users.

~~~
r0t1
That was indeed an important bug for the rest of our findings. To give you an
idea on why is this data so important to Uber, this is what we got so far: 1 -
Possibility to brute force invite codes in riders.uber.com - $5000 2 -
Possibility to view sensitive data from other riders and drivers - $3000 3 -
Possibility to get private email using UUID - $5000 4 - Information regarding
trips from other users - $5000

------
ryandrake
I'm impressed by the turn-around time on the fixes. I've worked places where
bug reports from QA (sitting right next to the developers) were not even
LOOKED at for a week, let alone resolved in a week. Kudos to Uber's team's
ability to act quickly, even on externally-reported issues.

------
TomAnthony
Details about Uber's bug bounty program are here:

[https://hackerone.com/uber](https://hackerone.com/uber)

They've paid a total of $343,770 out so far, with bounties ranging from $100
to $10,000.

------
dsl
Most of these findings would have been discovered during an in depth pentest.

While I applaud Uber (or any company) for having a bug bounty program, it does
not replace mandatory application pentests for new features and major
modifications. Each bug bounty paid out should result in a meeting to discover
not only how the vulnerability was introduced, but how it was missed in QA and
SQA.

------
DZittersteyn
For those interested in timelines:

\- 0x01:
[https://hackerone.com/reports/125505](https://hackerone.com/reports/125505)

\- 0x02:
[https://hackerone.com/reports/127158](https://hackerone.com/reports/127158)

\- 0x03:
[https://hackerone.com/reports/128723](https://hackerone.com/reports/128723)

\- 0x04:
[https://hackerone.com/reports/127085](https://hackerone.com/reports/127085)

\- 0x05:
[https://hackerone.com/reports/127087](https://hackerone.com/reports/127087)

------
big_youth
This is awesome.

I'm in infosec and there has been a lot of talk within my circles about the
'top' facebook security guys going to work for uber. Makes me happy that even
the leet(lol) security guys let major vulnerabilities steep through.

------
drivingmenuts
What is the time spent vs payout breakdown?

------
kensign
UUIDs as tokens? wow.

~~~
bitJericho
Uuid makes a great token.

~~~
koolba
> Uuid makes a great token.

When they're actually unique, sure. If you're UUIDs are the byte
representation of something that isn't random (i.e. something not from
/dev/urandom) then no they'll suck as much as the source. Generally speaking,
what you put in is what you get out.

~~~
mikeash
They need to be unique and unguessable, which don't necessarily go together.

For example, a version 1 UUID is unique, but is fairly guessable, since it's
just a MAC address, a timestamp, and a small random-initialized counter.

~~~
DZittersteyn
Looking at the reports, the UUID's are xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx,
so V4 UUID's, which should be pretty hard to guess (barring bad PRNG, but
that's a whole different problem)

~~~
mikeash
Yeah, that gets you 122 bits of entropy (with a good RNG) so that should be
fine. I mainly pointed that out just in case anyone assumes "UUID"
automatically means "random UUID" and fails to check whether their particular
UUID generator uses v4 or something else.

