Hacker News new | past | comments | ask | show | jobs | submit login
Uber Hacking: How we found out who you are, where you are and where you went (integrity.pt)
158 points by r0t1 on June 23, 2016 | hide | past | favorite | 14 comments

0×03 – Enumerating UUIDs with phone numbers. The bug that was marked as duplicate but I think really is at the heart of it all. Without this you won't get the UUIDs which are needed for all the other exploits. Just imagining that you can get anyone's email using just a phone number is crazy.

This alone should be worth thousands of dollars in the wrong hands because just imagine someone running a telephone book against this exploit - it's like having a peek into their users table and seeing all the registered users.

That was indeed an important bug for the rest of our findings. To give you an idea on why is this data so important to Uber, this is what we got so far: 1 - Possibility to brute force invite codes in riders.uber.com - $5000 2 - Possibility to view sensitive data from other riders and drivers - $3000 3 - Possibility to get private email using UUID - $5000 4 - Information regarding trips from other users - $5000

I'm impressed by the turn-around time on the fixes. I've worked places where bug reports from QA (sitting right next to the developers) were not even LOOKED at for a week, let alone resolved in a week. Kudos to Uber's team's ability to act quickly, even on externally-reported issues.

Details about Uber's bug bounty program are here:


They've paid a total of $343,770 out so far, with bounties ranging from $100 to $10,000.

Most of these findings would have been discovered during an in depth pentest.

While I applaud Uber (or any company) for having a bug bounty program, it does not replace mandatory application pentests for new features and major modifications. Each bug bounty paid out should result in a meeting to discover not only how the vulnerability was introduced, but how it was missed in QA and SQA.

This is awesome.

I'm in infosec and there has been a lot of talk within my circles about the 'top' facebook security guys going to work for uber. Makes me happy that even the leet(lol) security guys let major vulnerabilities steep through.

What is the time spent vs payout breakdown?

UUIDs as tokens? wow.

Uuid makes a great token.

> Uuid makes a great token.

When they're actually unique, sure. If you're UUIDs are the byte representation of something that isn't random (i.e. something not from /dev/urandom) then no they'll suck as much as the source. Generally speaking, what you put in is what you get out.

They need to be unique and unguessable, which don't necessarily go together.

For example, a version 1 UUID is unique, but is fairly guessable, since it's just a MAC address, a timestamp, and a small random-initialized counter.

Looking at the reports, the UUID's are xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx, so V4 UUID's, which should be pretty hard to guess (barring bad PRNG, but that's a whole different problem)

Yeah, that gets you 122 bits of entropy (with a good RNG) so that should be fine. I mainly pointed that out just in case anyone assumes "UUID" automatically means "random UUID" and fails to check whether their particular UUID generator uses v4 or something else.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact