0×03 – Enumerating UUIDs with phone numbers. The bug that was marked as duplicate but I think really is at the heart of it all. Without this you won't get the UUIDs which are needed for all the other exploits. Just imagining that you can get anyone's email using just a phone number is crazy.
This alone should be worth thousands of dollars in the wrong hands because just imagine someone running a telephone book against this exploit - it's like having a peek into their users table and seeing all the registered users.
That was indeed an important bug for the rest of our findings. To give you an idea on why is this data so important to Uber, this is what we got so far:
1 - Possibility to brute force invite codes in riders.uber.com - $5000
2 - Possibility to view sensitive data from other riders and drivers - $3000
3 - Possibility to get private email using UUID - $5000
4 - Information regarding trips from other users - $5000
I'm impressed by the turn-around time on the fixes. I've worked places where bug reports from QA (sitting right next to the developers) were not even LOOKED at for a week, let alone resolved in a week. Kudos to Uber's team's ability to act quickly, even on externally-reported issues.
Most of these findings would have been discovered during an in depth pentest.
While I applaud Uber (or any company) for having a bug bounty program, it does not replace mandatory application pentests for new features and major modifications. Each bug bounty paid out should result in a meeting to discover not only how the vulnerability was introduced, but how it was missed in QA and SQA.
I'm in infosec and there has been a lot of talk within my circles about the 'top' facebook security guys going to work for uber. Makes me happy that even the leet(lol) security guys let major vulnerabilities steep through.
When they're actually unique, sure. If you're UUIDs are the byte representation of something that isn't random (i.e. something not from /dev/urandom) then no they'll suck as much as the source. Generally speaking, what you put in is what you get out.
Looking at the reports, the UUID's are xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx, so V4 UUID's, which should be pretty hard to guess (barring bad PRNG, but that's a whole different problem)
Yeah, that gets you 122 bits of entropy (with a good RNG) so that should be fine. I mainly pointed that out just in case anyone assumes "UUID" automatically means "random UUID" and fails to check whether their particular UUID generator uses v4 or something else.
This alone should be worth thousands of dollars in the wrong hands because just imagine someone running a telephone book against this exploit - it's like having a peek into their users table and seeing all the registered users.