Hacker News new | comments | show | ask | jobs | submit login
I Got Paid $0 from the Uber Security Bug Bounty (medium.com)
624 points by GregoryVPerry 58 days ago | hide | past | web | favorite | 152 comments

Okay, so for the first 4 bug reports, I'm on Uber's side. In their Hackerone program details it says that one of the valid close states of a report is [1]:

> duplicate -- a vulnerability that has previously been found either internally or via Hackerone

As much as it sucks to find a bunch of vulnerabilities and not get them paid out, it doesn't make sense for Uber to a) publish a list of current unpatched security vulnerabilities or b) payout everyone who reports the same vulnerability (make n accounts, report the same thing in each one, get minimum payout * n). I'd say it's off base to say that Hackerone didn't have your back. They were duplicates. No payout. Of course, this does mean taking it on faith from Uber that they WERE aware of these vulnerabilities.

For the final report...that's straight bullshit. Did you ask for mediation from HackerOne on that one? Cause if it's an XSS which triggered them to change the code, that deserves a > minimum payout.

[1] https://hackerone.com/uber

If those were vulnerabilities discovered prior, then surely they could cite to the prior report or an internal ticket to that effect. These weren't previously discovered issues, especially the certificate pinning Surface app one. Their own Bug Bounty Treasure Map specifically states that all requests to that mobile endpoint are certificate pinned, but aren't in the Surface app.

But the best part is, when I was reporting various issues to the Bug Bounty, their staff is actively fixing stuff on the backend (I was getting different application responses after the initial report was filed, but only until I gave them more info on the WAF and XSS_Auditor evasion stuff did they finally pull the whole application offline). And then they still didn't pay anything on the bounty.

Yeah I sent HackerOne a bunch of mediation requests, each response was a different excuse why they won't get involved with it. My "Signal" is too low or it's within Uber's discretion to close out the reports etc. Then they disabled completely the Uber Report Issue button. Yawn.

> Then they disabled completely the Uber Report Issue button

I don't have enough signal to make a report, but the button doesn't 404 for me, so my guess is you've been shadowbanned.

> then surely they could cite to the prior report or an internal ticket to that effect

Yeah, they should, at least to build the relationship. Public programs have so many erroneous report they probably stopped doing the "nice" thing ages ago.

> But the best part is, when I was reporting various issues to the Bug Bounty, their staff is actively fixing stuff on the backend - that XSS issue they were trying to fix on the backend, but without paying anything for the discovery. I was getting different application responses after the initial report, but only until I gave them more info on the WAF and XSS_Auditor evasion stuff did they finally pull the whole application offline. And then still didn't pay.

If this is true, that's really bad. I'd be curious to hear the other side of the story if there is one.

  it doesn't make sense for
  Uber to a) publish a list 
  of current unpatched 
  security vulnerabilities
Hackerone could require them to publish a list of hashes of unambiguous descriptions of known bugs. That way they could prove beyond doubt which issues were already known - much like astronomers published anagrams to prove their discoveries' priority in the 1500s.

It wouldn't solve the problem of people wasting their time rediscovering bugs that don't pay out, of course.

I was going to suggest hackerone should be responsible for both storing and arbitrating known bugs but this is even better.

It's really hard to not think Uber is simply playing hackerone to get free penetration testing here by responding to everything as "already discovered" or "out of scope"... A dangerous game though if people catch on and get pissed off enough and just publish it like this, I can't really blame the author, the whole process sounds like bullshit.

This would appear to be consistent with what I've personally observed of Uber's approach to, well, pretty much everything.

I think it would go a long way just stating when they became duplicates. It would be hard to be mad at Uber if another person reported the same bug two days earlier.

It would be easy to be mad at Uber if this had been sitting in an internal bug tracker for three years just getting "closed, duplicate" everytime someone made a Hacker One report.

Honestly Uber's response to all of these seems pretty professional and reasonable. The submitter was hard to work with and seemed pretty eager to jump to conclusions about the Uber team's motivations. I haven't seen the details of the JavaScript XSS one but given the past behavior I'd understand some skepticism.

Their response to the Microsoft Store lack of cert-pinning seems fair (though disappointing for the submitter): https://hackerone.com/reports/293358

> This limitation is already known to us and as such we'll be closing this duplicate per our program guidelines.

to which he replies:

> Cute. Big surprise.

They should link to a submission if one exists, but it's possible and reasonable they already had an internal ticket.

The second issue, not revoking tokens on the server side after logout, the Uber rep replied:

> Thanks for the report, but after looking into it, this is a known limitation of our legacy authentication system and we're actively working on a new system that will replace these long-lived tokens with a more mature bearer token. Currently, the value associated with the x-uber-token HTTP header is a token that is only changed upon password reset.

The submitter added a long list of CWE items for OAuth, one of which was relevant (CWE-613: Insufficient Session Expiration). The Uber rep replied:

> Closing it Informative is not a judgement on the validity of the report -- it simply indicates we already knew about this and are actively addressing it already.

Seems reasonable that Uber's team knows their tokens don't expire and that it's not a good practice.

The rate limiting on the promo code endpoint report is the worst. It looks like Uber actually forwarded this one on to an internal expert, who replied with:

> we would consider the lack of multi-factor authentication a best practices concern, out of scope for our bug bounty program. Additionally, Uber tokens (UUIDs) are made up of 128-bit highly entropic values, making them very difficult to guess or brute force. We’ll be closing this report Informative, as this does not pose a security risk in itself. We wish you the best of luck on your next report!

Which is completely fair (you'd have to try ~10^29 values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second). The submitter argued their PRNG might be broken but provided no evidence that was the case. The submitter then posted some very hateful personal attacks against the people responding, including:

> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ

I can understand feeling less than obligated to give a payout on these.

Are you seriously suggesting that it is OK to open a bug bounty for e.g. a webpage that you know has XSS flaws, and then refuse to pay out when someone exposes them because "yeah, we sort of knew that there were XSS, and we're hoping to move past our legacy framework. Closed informative"?

Don't open a bug bounty if you have unresolved known issues unless you are prepared to pay out, thats bogus.

AMEN. I totally agree with this, Uber was 100% right on these decisions. My response is here: https://medium.com/@cdll/im-also-able-to-bypass-the-uber-one...

No, they where not 100% right, your blog post reads full of quickfire/offbrand outrage. Especially when you resort to personal attacks whilst chastising him for personal attacks.

All of your other points are "I don't believe him" and "here is some unrelated technical information about uuids that while correct is not really the point". Cool, good for you. Didn't need to put that in a blog post though.

The reporter's lack of maturity or social skills is not grounds for denying a valid bounty, and the fact that Uber responded by modifying its system in response to the reports of the final problem is strong evidence that they were both original and valid concerns.

I'm getting Uber fatigue. This company has been in the news mostly in a negative sense. It 's lost on me what innovation, technologically, or socially, they have brought to the table.

Instead, perhaps we can focus on how we can fix this sharing economy, so that we can all benefit; not just the ones who happened to raise the most money from shareholders.

how we can fix this sharing economy

Start by ditching the term “sharing economy” because there is no “sharing”, person A pays and person B provides some service, so it’s just “economy”.

In Baltimore we already do this. In Baltimore it's called hacking. http://afro.com/the-anatomy-of-a-hack/ It could be half the cost of a uber or lyft depending on where you're going. A $23-$30 ride could be $9-$15 via a hack. Most of these people are retired older dudes or drug addicts looking for money for their fix.

I thought of an app to facilitate this based off of a review system of past customers. Take a dollar off of the ride to encourage reviews. Leave a tip option to give the dollar back if the passenger liked the ride. Baltimore could benefit from this. Cheaper transportation that connects people that is.

> ...or drug addicts looking for money for their fix.

What a catastrophically bad idea..

Not all drug addicts commit crimes. There is certainly a place in society for people who fill their void(s) by using drugs. You do need to be careful though, not all addicts are crimeless.

I’m more worried about their ability to drive safely. I am not against drugs (I in fact believe legalizing them would be best) however, one should not drive a car when they are either high or on withdrawal because it prevents them from being able to drive safely. I would not want to be the passenger of someone who does drugs regularly because regular usage can have negative affects even after you are no longer high.

This is a really important thing - I look at addiction largely as a societal neutral, the societal harm is often more from the legal issues surrounding addiction, than the actual addiction itself. Before the laws changed in the early 20th century, prescribing maintenance doses of opioids for example, was considered normal and accepted practice.

I challenge you to explore addiction more fully - it is simplistic to assume that all addicts are opioid-linked and that maintenance dosages would remove harm (methadone programs are basically performing this function, so it is not as though this doesn’t happen).

Firstly, what is societal neutral? Is it where a person is able to indulge in their vices without affecting others, or causing cost to the community? Because if so, drug addiction (of prescription, or legal drugs - alcohol and tobacco - and illegal drugs) fails the test.

Speaking as someone working on the front lines (emergency departments) of societies care for vulnerable people, addiction is an enormous scourge that causes immense harm - particularly with ice which is highly destructive to the individual, their families and the social fabrics of communities.

I'm the child of an addict.

It really depends on how you measure cost - the current regime of punishing it, or treating it as a character weakness is clearly not working - plus moving sustained addiction outside of a care network to the black market, also clearly isn't working either.

Everything we do has a cost to the community, the question is, since we know we can't eliminate the cost, how can we reduce it?

I agree, services to support are very important and models that reduce harm should be encouraged and adopted

Amen! As a former drug addict, I can tell you that I would have given you amazing service. Reason being, that next $10 would have meant the world to me, and I wouldn't jeopardize it for anything. Stealing is hard and I was terrible at it.

It's pretty common to assume that addicts are just pieces of inferior shit. Hell, I felt that way before I was one. That was a rather rude awakening.

I think its that real world experience with someone who had an addiction in your life that will change your worldview - my father is an opioid addict, and an alcoholic - and frankly, he managed to have both of these habits for 50 years and hold down a job, make a living, and (sort of) raise a child. He wasn't there when I was a kid - but I know he did the best job he knew how - even if it wasn't enough - and I can't fault him for it. Same with my mother, who was left emotionally kinda broken by her own childhood.

I've know many current and former addicts in my life - and I don't look at it as a character failing at all - its just an unfortunate luck of the draw when it comes to biology, genetics, and life experience.

You underestimate the sense of poor people who just need a quick ride up the street or are desperate to get to a job that's on the verge of firing them for their lateness because the public transportation has failed them time and time again.

IIRC taxi permits are usually called hacking permits.

The old British term for a cab is a Hackney Carriage

^^^ What he said. How about "eBay for car rides"

It's not even eBay, since Uber sets the prices.

and tightly controls and rates customers and drivers. Think back to the 2014 downgrading of Uber drivers who worked for competing services.

yea make it dude see if its successful , no one is stopping you

I've often thought it would be cool to build a fairer ride hailing app that gives drivers more autonomy. The driver buys the app as a one time purchase, they get to set their own prices, and there is more transparency between buyer and seller. There could be a simple bidding process where users request a ride, drivers make an offer, and the user accepts one based on price, how far away the driver is, and their reviews. Basically the app would be more light-weight and be more like a marketplace.

Sounds great until you realize 1. riders would only use the app if they could sort by 'price,' 2. drivers would therefore have to constantly change their rates to reflect what those in the area are charging at a given time/supply/demand level, so.. 3. in order to do this effectively without creating massive unexpected price swings for both drivers & riders, you'd end up automating this 'bidding' system and hey whaddya know, you just built Uber again!

Genuinely curious about this - why would the price swings in this case be worse than with uber? With enough drivers, I would expect prices to reach an equilibrium that depends on time of day/day of week, with highly rated drivers charging more. And even if the price swings were larger than uber's, wouldn't the prices be more optimal since they would be set by individual actors with more local info about the cost of providing the service?

While Uber and Lyft raise prices in periods of high demand, they also subsidize rides in periods of low demand to keep a consistent quality of service. You'd have a hard time getting a network as reliable as Uber and Lyft without that subsidy.

It's not uncommon to see Uber retain 75% of the fee collected these days. The subsidies are much lower and less frequent than you are probably expecting. In Los Angeles, you are talking about 1.1-2.0 subsidy on base rates in the same areas with base rates for the driver being .72/mi and .11/min.

So, decentralized and trust based. But then the challenge is to engineer around abuse on either side. Seems a worthy project.

That sounds like a great idea, the only point I'd make is that a one time purchase model wouldn't work because you'd have ongoing costs (transaction fees for payments, records you legally have to keep, etc.).

Good point - a subscription model would probably be better.

I want to make this and include a multi-level marketing network model so drivers are additionally incentivized for recruiting and retaining halfway decent drivers. Herbalife for transport!

In Ukraine we have a taxi app where user selects price he's willing to pay and waits for drivers. He can increase the price if no drivers take an offer.

Reminds me of a similar project that popped up on HN a while ago.


Semi-related: there's a startup in Denmark [0] trying to do this for parcel/freight transportation. I'm not sure how well they're doing, though.

[0] https://www.badabring.com/ (link in Danish)

That’s basically what SideCar was, as drivers could set their own rates, and passengers could choose from a number of offers based on total price, quality, driver rating, and time until pickup.

SideCar closed in late 2014 though :-/ (And there was a recurring cut paid to SC.)

Something like what Project Wonderful does with web advertising would really have big potential

>Instead, perhaps we can focus on how we can fix this sharing economy, so that we can all benefit; not just the ones who happened to raise the most money from shareholders.

I already benefit from it massively. Before my roommate got me into using Uber a few years ago, I was hesitant to travel to new cities or even go somewhere new or unusual in my own city because of being intimidated by having to figure out where and how to hail a taxi or having to figure out the bus routes. Now as long as I have my phone and I'm in a somewhat populated area, I have no fear.

Before my roommate got me into using Uber a few years ago, I was hesitant to travel to new cities or even go somewhere new or unusual in my own city because of being intimidated by having to figure out where and how to hail a taxi or having to figure out the bus routes.

I'm not familiar with he US, but taxis in most European countries have an app these days. Even >20 years ago you could just call their phone number and they would pick you up from (or drop you) anywhere, even in remote villages, even at 4am. Never had a problem. I find it hard to believe the same isn't true for the US.

Sure public transport isn't as flexible route/time wise but I don't see how Uber is different from regular taxi service - apart from the price.

You should listen to all the Americans insisting the taxi experience was nowhere near that easy or good. Because outside NYC, it was utter shit. And good luck even in NYC if you're black, or going to the airport, or the outer Burroughs, or ...

Fixing sharing economy - develop proper distributed system that runs akin to bittorrent/bitcoin model with guaranteed feedback mechanisms that mitigates against systemic abuse. Super hard job. But it would, if solved, truly revolutionize/create the shared economy space.

they have not brought any innovation. They are just a company with a very reliable and robust service. For all the bad news its just social moral crying, its nothing about their tech.

As a service they are great, reliable. Thats all you need to be a successful business you dont need to innovate. Let google and Microsoft think about AI. All Uber needs to do is make sure I get to my destination on time.

When you think about impact, you might say Uber has topped all tech companies. Sure Google AI can be the best chess player, but Uber give mobility to me and many others in an easy to use application which is much more effective in my day to day life.

Posted this as a response on Medium but got blocked cause I guess he just wants yes men around lol:

“I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system.”

Where’s the proof? I don’t see any whatsoever. I highly doubt that you were actually able to bypass the OneLogin because if you did, they’d definitely pay out and it’d be an actual issue rather than some crappy bugs.

    Lack of certificate pinning IS NOT a critical issue. Critical issues are code execution, file read, etc.
    The odds of you actually guessing UUIDs are super low and pretty difficult, they did the right thing in closing as informative. You’d have to try “~ 10²⁹ values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second.” You claimed their PRNG was broken but had no evidence or support to back it.
    “Are you seriously the Program Manager for Uber’s Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting?” — you’re a complete moron, glad you know how to personally attack people, Uber definitely had the right to ban you from their program.
    Programs CANNOT delete comments from HackerOne Reports (as you claim in https://hackerone.com/reports/293359)
Uber DEFINITELY made the right choices in closing your reports as informative, but go ahead, fool yourself

Has anyone been paid for these sorts of bounties by Uber? (Short of the $100,000 extortion payout swept under the rug of bug bounties)

It otherwise appears to be an attempt by Uber to get a bit of free crowdsourced pentest.

I'm honestly curious about the HN community on Uber now: does anyone trust Uber on anything at this point? Do you still take any of their research, publications, whitepapers, etc., at face value? Do you trust their code contributions on OSS to not contain malicious attack vectors?

As a researcher on Uber's program, I can assure you that OP has no clue what he's talking about. I've made a bunch of money from their program by submitting valid security issues, not this garbage he's complaining about. It's blowing my mind how everyone on HN is just eating this up, so much misinformation.

> Has anyone been paid for these sorts of bounties by Uber? (Short of the $100,000 extortion payout swept under the rug of bug bounties)

They've paid out more than $1,300,000 in bounties, you can view all their payouts here: https://hackerone.com/uber/hacktivity?sort_type=latest_discl...

> Do you trust their code contributions on OSS to not contain malicious attack vectors?

This has nothing to do with anything.

Good to know they aren't actually deadbeats on bugbounties and can chalk up this example to honest disagreement.

As for the rest, it has to do with everything. Would you trust your application's security to code libraries written by a company with the the allegations hanging over Uber? If there's a chance your customer data might be a strategic asset for Uber?

If you check reports that are actually valid, you can see that Uber actually pays for valid issues. Excluding the 100,000, Uber has already paid 1million+ in bug bounty. Please check their hackerone platform :)

How does being rude with personal attacks help your case at all? (On a purely emotional level, it even makes me want to side with Uber for this)

> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ (https://hackerone.com/reports/293359#activity-2203160)

> Cute. Big surprise. (https://hackerone.com/reports/293358#activity-2214673)

not to mention linking someone's social profile in a blog post about a company:

> So these tickets get assigned to Rob Fletcher with Uber’s security team.

Unfortunately, at least for me, this comes off as public shaming.

Are you familiar with the freelancers' concept of "fuck you, pay me"?

I guess, that's how the first part works. There are things you can try, and there are other things. Messing with freelance pen testers is clearly one of latter.

Given the nature of the game I'd say that's a mild response. On a scale of 0 to 10 that would rate a 3 or so. If there is one group I'd really avoid pissing off it would be pentesters.

The freelancers „fuck you, pay me“ is based on very clear contracts and respectful communication, even when things go bad. This is not what’s happening here AFAICS.

"Minimum payout of $500" sounds like a very clear contract.

Once they have shadowbanned the author, IMO, any attempt at respectfulness is violated by bug bounty organizers.

Maybe there are things more rude than shadowban, but I'm not aware of such.

The minimum payout is subject to various conditions — for example, not being a duplicate. The author did not meet those conditions, and resorted to personal attacks instead of keeping things professional.

Uber has many, many problems as a company, but on this matter I can't say they're in the wrong.

Well, it doesn't seem like the last report was a duplicate.

The one they failed to recognize as XSS. If they paid for that one there would be no blog post and no name calling.

Clearly doesn't help his case, but it's not really material to whether they should pay out or not. Why didn't they disclose the one that most everyone here agrees was an obviously-qualified-for-payout vulnerability?

It looks like a "reap what you sow" situation. No one is looking good now.

Uber is the last company in the world that gets to complain that somebody isn't being nice to them.

This seems unnecessarily callous. The writer was incredibly insulting to a person in a public forum, but that's ok because "well they worked for Uber"?

I don't see this discussion as about whether a corporate PR team is allowed to issue a response. It's about the author childishly lashing out at an individual because he didn't agree with their decision.

I didn't say it's ok. I said Uber doesn't get to complain.

Indeed, my belief is that this guy's and Uber's behavior are both not-ok, which is exactly why Uber doesn't get to complain.

That's not how that works at all.

Irrelevant. If he found these bugs, even if he’s been a dick about it then he still found a bunch of vulnerabilities that Uber was exposed to. Pay the man, it’s a few thousand dollars as opposed to a major exploit!

But that's my point. Of course he deserved a payout if he reported a previously unknown vulnerability. What I'm saying is that he (appears to have) behaved in such toxic way (sow) that someone denied something he deserved (reap). All parties in this are squishy humans with emotions.

No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.

Just because you violate social mores does not entitle someone to violate the terms of their engagement with you.

A bunch of P5's that were rightly closed as informative. I completely agree w/ Uber's decisions here...

These are low severity reports. The first two require difficult prerequisites for an attacker to exploit, and the last one was not proven to be a security flaw.

#293358: it's not ideal that the certificate isn't pinned, but to exploit this an attacker needs to either install their own root certificate on the victim's device, somehow obtain a private key for a certificate already installed, or have a certificate authority misissue a certificate to them for an Uber domain used by the app.

#293363: an attacker still needs to acquire the victim's X-Uber-Token somehow for this to be useful. It's also somewhat mitigated by the token being invalidated when the victim changes their password.

#293359: as pointed out by Uber, no weaknesses in the token generation algorithm were actually demonstrated, and brute forcing the 2^128 keyspace is infeasible.

Also, the rudeness he displayed was petty and unhelpful:

> given the fact that at least one of your system architects were apparently high when they designed and implemented your bearer token assignment process

> Not completely unexpected though, given the caliber of talent utilized by Uber such as the “security” group that you hail from. You would do well in government security consulting, for sure.

> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ

All in all, rather a poor result for this vulnerability researcher.

Their bug bounty is definitely fishy. If you pull their reports for the last few months, every single one of them at HackerOne have been redacted/locked with no information published. According to HackerOne their vulnerability reports become public after 30 days, but they've given Uber the ability to lock them which keeps everything private.

Alright, I need to make more things clear here because clearly you have no experience on how HackerOne's platform works:

1) Companies have ability to change when the disclosure happens. This is because sometimes, if I find a RCE lets say, companies have to run incident response. This sometimes take more than 30 days. Also to add, if I just request disclosure for any BS report then it will just cluster the disclosure page with no valuable information for new hackers.

2) I haven't seen reports getting locked unless reporter goes "Can i haz update" every 2 days. Then in such cases, Locking a report is more than fair.

3) You might be confusing this with Limited Disclosure. That is allowed in both sense by companies and hackers. Most of my reports are limited disclosure because sometimes, I have to share personal details or personal information that I don't want other hackers to see.

I support transparency that is why, till this day, all of my resolved reports for public programs are publicly disclosed. Even in Uber's case, I have disclosed bug but they were limited disclosure because it had my personal information. But if you check, Uber has allowed me to write public blogs on my reports.

So please, learn about the platform and a program works before you make any form of assumption.


Simply putting my name as HackerOne user does not mean I am bias. Also no, hackerone or Uber none of them paid me to say the comments. If simply putting my points and pointing out the wrong facts will make me look bias then so be it.

> simply putting my points and pointing out the wrong facts

An argument should be judged purely on its content. No matter who says it or what their motive is.

However it is reasonable for someone to be suspicious given that you had to create a new account to do that, and you are so vocal in this story.

sxcurity 57 days ago [flagged]

Great argument end sarcasm, you yourself are also obviously biased

Would you please not post unsubstantive or uncivil comments to HN? You're welcome here if (but only if) you want thoughtful conversation.

> So please, learn about the platform and a program works before you make any form of assumption.

Welcome to Hacker News, I see it’s your first time visiting.

lool he has valid points though.

Welcome to you too!

I'm guessing this thread got linked to from reddit

Acting like there's a conspiracy against you is not helping your case at all, it's just making you look paranoid and unreasonable.

I assumed that was in response to the whole ransom thing, not directly related to refusing to publish vulns.

This is why I see these programs in general as foolish. Either you're an employee of the company and you're being paid as such or you've got a proper contract that specifies objectives and compensation. But these bounty programs that leave all the power in the hands of the company just aren't really a great idea. I wonder how many times something like this happened and it went unreported because the hacker just didn't want to sink more time into something that clearly wasn't paying out.

Are you basing this opinion on this one account? I would like to point out that Uber has a history of sleaze and would absolutely not use their behavior to judge any such programs. Are there other well described, similar instances of such poor behavior from legitimate companies?

It seems to me that most of the bigger corps offering bug bounties may be paying too little but at least they follow their own rules.

Khaos Tian published a writeup a few days ago about how he discovered a wide-open HomeKit vulnerability [0]. He reported it properly months prior, but Apple ignored his followups and was unresponsive. After this extended radio silence, Tian reached out to a media contact. Within hours of being contacted by the website, Apple finally pushed a hotfix for the vulnerability.

Apple subsequently denied Tian access to their bug bounty program because going to the press "voided the qualification for the invitation." [1]

[0]: https://medium.com/@khaost/your-home-was-not-so-secure-after...

[1]: https://twitter.com/KhaosT/status/943283519119179776

And this kids, is why blackhats are selling your vulns to other blackhats.

Clearly a problematic exchange, but, nowhere is it said that this is a bug bounty program interaction nor is it an account of Apple denying promised payment for such a program.

I'm certainly not justifying a poor communication and response to the report, but, it seems like a very different kind of problem, and not one reflective of the kind of corporate sleaze often seen from Uber.

I work with HackerOne as an employee of a company with a bug bounty program. We're pretty sensitive about pissing off submitters. We're pretty strict about honoring our scope. Even if we know about a vulnerability, if we haven't specifically excluded it then we usually pay out (except duplicates where we have already paid out for it). I've seen many submitters respond with something along the lines of "thanks for the quick payout, I'm going to spend more time on your product".

We want submitters to spend time finding issues for us. Thats why we set up the program. It's important to our brand that we don't have security issues and we recognize that a few thousand dollar payout to HackerOne is much cheaper than the potential legal bill if we were compromised.

Lots of bug bounty programs work out great! But there are a couple of companies I would never try to get a bug bounty from, based on their reputations. Oracle is one, for being litigious fuckwads; Uber is another, for literally everything they do and say.

There are good programs, but this reveals that you shouldn't trust HackerOne as far as you can throw them

I'm gonna need a response from HackerOne on this one. It's a very bad look for both Uber (yet again) but also HackerOne.

How? These were terrible P5 reports that would get closed as informative in ANY PROGRAM. He has no evidence behind the claims of the "xss" and the "OneLogin bypass" which they would have indeed paid out if it was valid. I'm highly disappointed in people here, geez.

I'm pretty disappointed too, now that I've seen the actual reports and his awful behavior. :-(

No, I was too eager to jump on Uber, here.

What is the end game here? There is black market for this stuff and payouts are orders of magnitude higher than the bounty programs, why would they skew things even more in favor of that route by behaving like this is a mystery.

> payouts are orders of magnitude higher than the bounty programs

This is mostly false except for a narrow class of products and bug classes. You could get more on the black market for an iOS jailbreak than Apple would pay you, yes. You could not get more on the black market for any of the bugs the author submitted - most likely you wouldn't find a buyer at all.

For reflection attack you sure would find a buyer at a rate far beyond $500

Uber's response is a joke, but I'm more surprised by how HockerOne is not helpful here. Sure their revenues come from corporations but if they don't maintain healthy community (where hackers get rewarded appropriately) the platform will lose any attraction.

My firing-from-the-hip response is that HackerOne is possibly making more bank from Uber and other big corporate clients in the short term than they would from building an established userbase, and they are going to cash out and dump the project soon. Corporations get what they wanted (effectively free quality pentesting), and HackerOne can run the narrative that it was a "foolish venture" all the way to the bank.

But, I'm probably wrong; the company seems to be well financed and has attracted a ton of clients that would be pissed if their investments were to disappear like that. Maybe it's just growing pains combined with fear of pissing off bad actors like Uber. They supposedly have nearly 100,000 active pentesters contracted, so they can stand to lose a little face to keep Uber happy.

Only the XSS one was a real vulnerability, they should have paid $500 at least for that though.

Client side logout with seemingly no token expiration is a very serious vulnerability, especially for something like Uber where payments are involved.

Yeah that's a big one, and an issue with the core of their entire authentication workflow that they cannot fix without invalidating tens of millions of apps or forcing everyone to upgrade. Whenever you sign off of their mobile app there is no communication with the network, they are just erasing the token on the client side.

Not the parent commenter and I get what you mean, but if they state that it's a duplicate issue (and assuming on good faith that it is), doesn't it make sense that they don't pay you out for that?

I'm 100% on your side regarding the XSS issue but you can't expect them to have a list of security vulnerabilities that they've already discovered at your disposal.

Yeah, but we have no idea how long this has been unfixed. I reckon all security bugs not paid out to Uber at this point should just get automatically publicly documented.

Also: this is Uber. At this point, they’ve used up all their good faith. I definitely wouldn’t be taking anything they say in good faith - I still haven’t forgotten them threatening a journalist or publicly tracking the ride of a CEO for an entire room of people!

I recall that either OAuth or SAML doesn't have capabilities for logout.

I believe it's OAuth (same with JWT) in that there is no endpoint one can POST to in order to "logout," but the end-of-authorization concept exists in both OAuth and JWT via token revocation on the server-side

SAML has an actual logout endpoint

I don't understand why he didn't make an alert(document.domain), the universal "this is legit" bat signal. Instead, creating some weird form phishing demo?

I think there is more to this story, it sounds like this wasn't a "Cross Site Scripting", but "Content Injection" or "Content Spoofing", a far less serious bug.

You're gonna hate me, but I would award $0 for Content Injection, it's just not a big deal ¯\_(ツ)_/¯

Initially JavaScript was being escaped with their WAF.

The second POC demonstrated the ability to evade both their WAF and XSS_Auditor.

Their development team then verified the ability to execute arbitrary JavaScript from any *.cloudfront.net host.

That's pretty much the whole story.

Could you make an alert(1) or not?

If you couldn't, it's plausible the non-security developers incorrectly speculated it was possible?

Now I'm starting to wonder the same thing, *.cloudfront.net is not Uber.

> Only the XSS one was a real vulnerability, they should have paid $500 at least for that though.

That's false. Non-expired authentication tokens is a serious issue.

So what protects HackerOne users from companies claiming that every report is a known issue and not paying anything out ever?

Yep, hackerone lost any credibility to me

OP needs to learn the difference between poor application design and exploitable bugs.

Here is my personal take on this:

I have worked personally in numerous occasion with Uber's security team. I have helped them with many security issues and they have always been open to securing vulnerabilities, listening to hackers to make a change and even pay good payouts.

There are couple of things I want to point out to the author here:

1) You said that if these were Duplicate reports, they have to have a report number assigned. If you use HackerOne application frequently (which it does not look like you do), a report number is only assigned if it was submitted by another hacker. There are situations when internal findings are also on process on being fixed.

Uber treasure map is simply a guide. If you find something that is bypass of what they said they have, does not mean its an original finding. I work at a company where we have our own security team breaking applications every day. Sometimes hacker submit similar findings that our security team found before. In such cases, if it is a low priority issue, it will take time for us to fix because we do not prioritize it. In that case, a hacker will get a report marked as Duplicate with no report number assigned.

For the first three report that is exactly what happened.

2) Personal attack against a employee of a company will not help you anyways. You went after an employee just based on your degree. If you look closely in the industry, it is the matter of experience not degrees. I have worked with colleagues who are way smarter than me in the field and have way more experience. I never judge them based on their degree.

3) I am still not sure about your reflected XSS bug. Were you able to get a XSS actually execute? Seeing reply from Rob makes me thing you probably found a valid xss that works on an old browser. In addition, you also said you gained access to internal uChat: "I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system." but you did not prove that anywhere in your blog so I don't know if that is legit.

To conclude, considering the recent media attention at Uber due to security mishaps that occurred before, it seems to me that you are just looking for a media attention. Your title first is clickbait because 3 of your reports are duplicate so I am not sure why you expected any bounty.

To make this clear: I am a hacker in the community and an active participant in Uber's bug bounty and also in HackerOne. I have never seen Uber be unfair to hackers in the platform. Hell, to even encourage hackers, they started to pay 500 on triage.

That said, I am looking forward to your comment on this and would love to see your discussion on my points listed above.

For 3) what are you not sure about? He demonstrated arbitrary DOM manipulation, and it reads like the XSS worked with some WAF avoidance. Brass tacks do you agree they should have paid out something for this?

I will not say anything about whether he needs to get paid or not until Uber discloses the report. If he showed that it is a valid xss and not a content injection then I guess it would be valid. But again, right now we do not have the report made public.

Even your username tells us that you are absolutely biased toward hackerone. May be you are even a staff/co-founder of hackerone.

My username has nothing to do with anything. I simply chose it to hide my identity. I said what I said because I hack multiple programs throughout multiple platforms. These kind of blogs usually give a sense to companies that all hackers are like these. This leaves a bad impression about what we actually do. I don't think simply having hackerone in my name will make me bias. If you check my comment, you will see I have not said that HackerOne is right and the hacker is wrong. I have simply pointed the right facts that I felt was important for everyone to see. His blog leaves out a lot of points and also misguides readers.

Hopefully this clears it to you.

Also, I wish I am an hackerone employee or work in any of these platforms as an employee. I am simply a hacker and also employee of a company that runs a bbp so I have in both sides and I understand frustration of both side. Being frustrated does not provide excuses to the hacker's behavior of harassing an employeee based on their degree. This community is diverse and that is what we should learn to appreciate.

From the comments and the article. it seems HackerOne cares for security researcher and white hat hackers insofar as they attract companies to their platform.

I guess their apathy makes sense from a short-term, bottom-line perspective, but it still seems a little unseemly.

Is there a better alternative to HackerOne for the security community?

With all the horror stories I've been reading since the 90's I'd never help any company like this (again). Discover a vulnerability and get sued or punished. Fix their bugs for them, get nothing for doing their job for them.

I remember contributing to BigCommerce's crappy software just because I needed it to actually do it's job (despite the fact that my boss was paying their enterprise rate). I got shitty responses from their devs and nothing got fixed when I forked and submitted patches. I kept and then hid my working fork and never looked back.

Yeah, a company can fix it's own problems. Open source, perhaps... Helping a profitable business for nothing? Never again.

This is terrible! So sad to see companies make use of people's time and effort without even acknowledging their contribution.

This is not just about Uber; it also indicates problems at HackerOne, if this is its response to a mediation request:

"we have contacted the Uber App Sec team and they have confirmed with us that these are not security issues that are in scope on their program."

Contacting the other party and reporting back what they say is not what is meant by mediation. This is underscored by the next sentence:

"I understand that this can be a disappointment but I can assure you that they looked at this report and gave it the proper attention it deserved." [my emphasis.]

I agree w/ Uber on these bugs, they're trash and would be considered informative by almost every program

This seems like it will self correct. Get a reputation for not paying, and now you have skilled adversaries with a grudge to settle. Bug bounties aren't the only way to monetize this particular skill set. Or maybe getting paid becomes less important than getting even.

This looks like a complete failure on HackerOne side - do they care to comment publicly?

Uber’s bug bounty seems like a complete joke.

What do you expect from a company who's motto is "always be hustlin" !?

If true, then Uber dropped the ball again when it came to PR.

When a company does something immoral, why do people always say "well that's bad because it's bad PR"? How about, that's bad because it's immoral?

Because immoral actions don't tend to hurt the bottom line, in fact generally the opposite.

Until, that is, someone shines a light on said immoral behavior for the public to see. Then it tends to have an effect, small as it may usually be.

In my view it's because immorality only really affects a company if it's perceived as immoral (i.e. is a PR issue)

Because it's assumed that a company can do whatever it wants as long as it's self serving and not blatantly illegal.

Morality is a human standard of behavior, corporations are non-human persons.

I realize this can seem like a cynical take, but if you look at the devestation to our planet, and even human life, I think you can see it's an attempt to be accurate, not cynical.

The people who run a corporation can struggle to maintain a moral direction, but that aim is orthogonal to the goals of the firm and when a conflict arises, it's "logical" for the company to replace whoever diverts it from its goal.

The problem is you trusted Uber in the first place

I wonder if this is the same Gregory V Perry who claimed there'd been an attempt to backdoor OpenBSD IPSec code: https://marc.info/?l=openbsd-security-announce&m=12923753140...

Just like this one, his story back then didn't quite add up either.

Hm, both profiles have one thing in common: VMware training/instruction. You might be on to something.

Let me get this straight: there's a company built to exploit the ignorance of people of just how much it costs to drive their own car and the complete disregard of law and you thought while they don't respect their drivers and various governing bodies all over the globe they will respect you ?

Regardless of how strongly you feel or how wrong other people are, please don't post tendentious rants to HN. This breaks the site guideline which asks the folllowing:

Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize.

That "says" can be extended to "says, does, is". What you posted has a lot of indignation but doesn't come close to passing the "strongest plausible" test. Maybe you don't owe better to a corporation, but you owe better to this community if you want to post here.

I think you will realize, once you have cooled down a bit, that it is exactly people's awareness of how much it costs to own and drive a car in terms of money and mental peace that drives them to use services like Uber.

And yes, I know you were referring to people who drive for Uber.

For many people, the process of owning and driving a car doesn't make overall sense, which is why they pay others to do it for them.

I don't see anyone complaining about how maids have to, oh my gosh, clean houses.

> it is exactly people's awareness of how much it costs to own and drive a car in terms of money and mental peace that drives them to use services like Uber.

The point is that its far less profitable than it seems, is very stressful, and has variable (unstable) income which further adds to the stress. See for example Uber The Game [1] based on real life examples.

> I don't see anyone complaining about how maids have to, oh my gosh, clean houses.

Well, of course they don't complain about that here. That'd be offtopic.

Part of the problem with issues like these is that if they don't affect you, why bother caring? Reading about it? Investigating the issue? You're not a maid, so why would you bother? You not enough on your plate as it is making your own deadlines and taking care of your family and and... which creates apathy.

I happen to know that regarding maids, and I won't speak for all hotels, but I happen to know from a series called RamBam [2] that at least in 2016 the Bastion and Ibis hotels in Amsterdam, cleaning service profession ("hotel maid") was 1) very stressful 2) paid by amount of rooms being cleared 3) a very low amount of minutes per room is being accounted 4) if you don't make it (setback of any kind), tough luck, you get paid less or you gotta work longer. Its a job you would only get if you can't get any other, and you desperately need the money. The company who hire know that, so the employees get exploited.

If that's still the case, if its more widespread, I don't know...

Cause what happens all too often in situations like these is when companies have shady, illegal, immoral behavior they resort to ostrich politics until they get exposed and it causes public uproar (in US, as a foreigner, I could think about say, Consumer Reports, or a John Oliver broadcast, or news about X in regular media). Then they start with damage control, but not necessarily with real steps to solve the issue. Just the symptom that the public perceives. Examples of damage control could be empty promises, solving the issue of the specific complaint of that one user, more empty promises, a bunch of excuses, some technicalities or pseudo-intelligent speech, yet more empty promises and excuses, shifting the blame, and all kind of other fallacies. It precisely describes what Uber did until a big change occurred (they got a new CEO). Heck, I've seen Uber employees exercise damage control on HN! Another good example is the #metoo debacles where people deny the allegations until the proof stacked up too high.

[1] https://ig.ft.com/uber-game/

[2] https://nl.wikipedia.org/wiki/RamBam#Seizoen_5 (see 5.2)

The Social Generation loves to do free work!

every character you write is worth less than $0 due to your inabality to collect your bismal worth.

More like you got paid $0 for obvious and shit findings along with a crappy attitude.

This. Seriously rate limiting??

This Uber company makes me so angry. I go to the Hacker News and I always see bad things about them. I just want to scream! What are they even doing for society—aside from employing hundreds of thousands of people and reducing drunk driving deaths. Doesn’t this stupid company realize that there are 500 angry journalists and technologists who don’t care about those two things.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact