This alone should be worth thousands of dollars in the wrong hands because just imagine someone running a telephone book against this exploit - it's like having a peek into their users table and seeing all the registered users.
They've paid a total of $343,770 out so far, with bounties ranging from $100 to $10,000.
While I applaud Uber (or any company) for having a bug bounty program, it does not replace mandatory application pentests for new features and major modifications. Each bug bounty paid out should result in a meeting to discover not only how the vulnerability was introduced, but how it was missed in QA and SQA.
- 0x01: https://hackerone.com/reports/125505
- 0x02: https://hackerone.com/reports/127158
- 0x03: https://hackerone.com/reports/128723
- 0x04: https://hackerone.com/reports/127085
- 0x05: https://hackerone.com/reports/127087
I'm in infosec and there has been a lot of talk within my circles about the 'top' facebook security guys going to work for uber. Makes me happy that even the leet(lol) security guys let major vulnerabilities steep through.
When they're actually unique, sure. If you're UUIDs are the byte representation of something that isn't random (i.e. something not from /dev/urandom) then no they'll suck as much as the source. Generally speaking, what you put in is what you get out.
For example, a version 1 UUID is unique, but is fairly guessable, since it's just a MAC address, a timestamp, and a small random-initialized counter.