> duplicate -- a vulnerability that has previously been found either internally or via Hackerone
As much as it sucks to find a bunch of vulnerabilities and not get them paid out, it doesn't make sense for Uber to a) publish a list of current unpatched security vulnerabilities or b) payout everyone who reports the same vulnerability (make n accounts, report the same thing in each one, get minimum payout * n). I'd say it's off base to say that Hackerone didn't have your back. They were duplicates. No payout. Of course, this does mean taking it on faith from Uber that they WERE aware of these vulnerabilities.
For the final report...that's straight bullshit. Did you ask for mediation from HackerOne on that one? Cause if it's an XSS which triggered them to change the code, that deserves a > minimum payout.
But the best part is, when I was reporting various issues to the Bug Bounty, their staff is actively fixing stuff on the backend (I was getting different application responses after the initial report was filed, but only until I gave them more info on the WAF and XSS_Auditor evasion stuff did they finally pull the whole application offline). And then they still didn't pay anything on the bounty.
Yeah I sent HackerOne a bunch of mediation requests, each response was a different excuse why they won't get involved with it. My "Signal" is too low or it's within Uber's discretion to close out the reports etc. Then they disabled completely the Uber Report Issue button. Yawn.
I don't have enough signal to make a report, but the button doesn't 404 for me, so my guess is you've been shadowbanned.
> then surely they could cite to the prior report or an internal ticket to that effect
Yeah, they should, at least to build the relationship. Public programs have so many erroneous report they probably stopped doing the "nice" thing ages ago.
> But the best part is, when I was reporting various issues to the Bug Bounty, their staff is actively fixing stuff on the backend - that XSS issue they were trying to fix on the backend, but without paying anything for the discovery. I was getting different application responses after the initial report, but only until I gave them more info on the WAF and XSS_Auditor evasion stuff did they finally pull the whole application offline. And then still didn't pay.
If this is true, that's really bad. I'd be curious to hear the other side of the story if there is one.
it doesn't make sense for
Uber to a) publish a list
of current unpatched
It wouldn't solve the problem of people wasting their time rediscovering bugs that don't pay out, of course.
It's really hard to not think Uber is simply playing hackerone to get free penetration testing here by responding to everything as "already discovered" or "out of scope"... A dangerous game though if people catch on and get pissed off enough and just publish it like this, I can't really blame the author, the whole process sounds like bullshit.
It would be easy to be mad at Uber if this had been sitting in an internal bug tracker for three years just getting "closed, duplicate" everytime someone made a Hacker One report.
Their response to the Microsoft Store lack of cert-pinning seems fair (though disappointing for the submitter): https://hackerone.com/reports/293358
> This limitation is already known to us and as such we'll be closing this duplicate per our program guidelines.
to which he replies:
> Cute. Big surprise.
They should link to a submission if one exists, but it's possible and reasonable they already had an internal ticket.
The second issue, not revoking tokens on the server side after logout, the Uber rep replied:
> Thanks for the report, but after looking into it, this is a known limitation of our legacy authentication system and we're actively working on a new system that will replace these long-lived tokens with a more mature bearer token. Currently, the value associated with the x-uber-token HTTP header is a token that is only changed upon password reset.
The submitter added a long list of CWE items for OAuth, one of which was relevant (CWE-613: Insufficient Session Expiration). The Uber rep replied:
> Closing it Informative is not a judgement on the validity of the report -- it simply indicates we already knew about this and are actively addressing it already.
Seems reasonable that Uber's team knows their tokens don't expire and that it's not a good practice.
The rate limiting on the promo code endpoint report is the worst. It looks like Uber actually forwarded this one on to an internal expert, who replied with:
> we would consider the lack of multi-factor authentication a best practices concern, out of scope for our bug bounty program. Additionally, Uber tokens (UUIDs) are made up of 128-bit highly entropic values, making them very difficult to guess or brute force. We’ll be closing this report Informative, as this does not pose a security risk in itself. We wish you the best of luck on your next report!
Which is completely fair (you'd have to try ~10^29 values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second). The submitter argued their PRNG might be broken but provided no evidence that was the case. The submitter then posted some very hateful personal attacks against the people responding, including:
> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ
I can understand feeling less than obligated to give a payout on these.
Don't open a bug bounty if you have unresolved known issues unless you are prepared to pay out, thats bogus.
All of your other points are "I don't believe him" and "here is some unrelated technical information about uuids that while correct is not really the point". Cool, good for you. Didn't need to put that in a blog post though.
Instead, perhaps we can focus on how we can fix this sharing economy, so that we can all benefit; not just the ones who happened to raise the most money from shareholders.
Start by ditching the term “sharing economy” because there is no “sharing”, person A pays and person B provides some service, so it’s just “economy”.
I thought of an app to facilitate this based off of a review system of past customers. Take a dollar off of the ride to encourage reviews. Leave a tip option to give the dollar back if the passenger liked the ride. Baltimore could benefit from this. Cheaper transportation that connects people that is.
What a catastrophically bad idea..
Firstly, what is societal neutral? Is it where a person is able to indulge in their vices without affecting others, or causing cost to the community? Because if so, drug addiction (of prescription, or legal drugs - alcohol and tobacco - and illegal drugs) fails the test.
Speaking as someone working on the front lines (emergency departments) of societies care for vulnerable people, addiction is an enormous scourge that causes immense harm - particularly with ice which is highly destructive to the individual, their families and the social fabrics of communities.
It really depends on how you measure cost - the current regime of punishing it, or treating it as a character weakness is clearly not working - plus moving sustained addiction outside of a care network to the black market, also clearly isn't working either.
Everything we do has a cost to the community, the question is, since we know we can't eliminate the cost, how can we reduce it?
It's pretty common to assume that addicts are just pieces of inferior shit. Hell, I felt that way before I was one. That was a rather rude awakening.
I've know many current and former addicts in my life - and I don't look at it as a character failing at all - its just an unfortunate luck of the draw when it comes to biology, genetics, and life experience.
 https://www.badabring.com/ (link in Danish)
SideCar closed in late 2014 though :-/ (And there was a recurring cut paid to SC.)
I already benefit from it massively. Before my roommate got me into using Uber a few years ago, I was hesitant to travel to new cities or even go somewhere new or unusual in my own city because of being intimidated by having to figure out where and how to hail a taxi or having to figure out the bus routes. Now as long as I have my phone and I'm in a somewhat populated area, I have no fear.
I'm not familiar with he US, but taxis in most European countries have an app these days. Even >20 years ago you could just call their phone number and they would pick you up from (or drop you) anywhere, even in remote villages, even at 4am. Never had a problem. I find it hard to believe the same isn't true for the US.
Sure public transport isn't as flexible route/time wise but I don't see how Uber is different from regular taxi service - apart from the price.
As a service they are great, reliable. Thats all you need to be a successful business you dont need to innovate. Let google and Microsoft think about AI. All Uber needs to do is make sure I get to my destination on time.
When you think about impact, you might say Uber has topped all tech companies. Sure Google AI can be the best chess player, but Uber give mobility to me and many others in an easy to use application which is much more effective in my day to day life.
“I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system.”
Where’s the proof? I don’t see any whatsoever. I highly doubt that you were actually able to bypass the OneLogin because if you did, they’d definitely pay out and it’d be an actual issue rather than some crappy bugs.
Lack of certificate pinning IS NOT a critical issue. Critical issues are code execution, file read, etc.
The odds of you actually guessing UUIDs are super low and pretty difficult, they did the right thing in closing as informative. You’d have to try “~ 10²⁹ values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second.” You claimed their PRNG was broken but had no evidence or support to back it.
“Are you seriously the Program Manager for Uber’s Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting?” — you’re a complete moron, glad you know how to personally attack people, Uber definitely had the right to ban you from their program.
Programs CANNOT delete comments from HackerOne Reports (as you claim in https://hackerone.com/reports/293359)
It otherwise appears to be an attempt by Uber to get a bit of free crowdsourced pentest.
I'm honestly curious about the HN community on Uber now: does anyone trust Uber on anything at this point? Do you still take any of their research, publications, whitepapers, etc., at face value? Do you trust their code contributions on OSS to not contain malicious attack vectors?
They've paid out more than $1,300,000 in bounties, you can view all their payouts here:
> Do you trust their code contributions on OSS to not contain malicious attack vectors?
This has nothing to do with anything.
As for the rest, it has to do with everything. Would you trust your application's security to code libraries written by a company with the the allegations hanging over Uber? If there's a chance your customer data might be a strategic asset for Uber?
> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ (https://hackerone.com/reports/293359#activity-2203160)
> Cute. Big surprise. (https://hackerone.com/reports/293358#activity-2214673)
> So these tickets get assigned to Rob Fletcher with Uber’s security team.
Unfortunately, at least for me, this comes off as public shaming.
I guess, that's how the first part works. There are things you can try, and there are other things. Messing with freelance pen testers is clearly one of latter.
Once they have shadowbanned the author, IMO, any attempt at respectfulness is violated by bug bounty organizers.
Maybe there are things more rude than shadowban, but I'm not aware of such.
Uber has many, many problems as a company, but on this matter I can't say they're in the wrong.
The one they failed to recognize as XSS. If they paid for that one there would be no blog post and no name calling.
I don't see this discussion as about whether a corporate PR team is allowed to issue a response. It's about the author childishly lashing out at an individual because he didn't agree with their decision.
Indeed, my belief is that this guy's and Uber's behavior are both not-ok, which is exactly why Uber doesn't get to complain.
No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.
#293358: it's not ideal that the certificate isn't pinned, but to exploit this an attacker needs to either install their own root certificate on the victim's device, somehow obtain a private key for a certificate already installed, or have a certificate authority misissue a certificate to them for an Uber domain used by the app.
#293363: an attacker still needs to acquire the victim's X-Uber-Token somehow for this to be useful. It's also somewhat mitigated by the token being invalidated when the victim changes their password.
#293359: as pointed out by Uber, no weaknesses in the token generation algorithm were actually demonstrated, and brute forcing the 2^128 keyspace is infeasible.
Also, the rudeness he displayed was petty and unhelpful:
> given the fact that at least one of your system architects were apparently high when they designed and implemented your bearer token assignment process
> Not completely unexpected though, given the caliber of talent utilized by Uber such as the “security” group that you hail from. You would do well in government security consulting, for sure.
All in all, rather a poor result for this vulnerability researcher.
1) Companies have ability to change when the disclosure happens. This is because sometimes, if I find a RCE lets say, companies have to run incident response. This sometimes take more than 30 days. Also to add, if I just request disclosure for any BS report then it will just cluster the disclosure page with no valuable information for new hackers.
2) I haven't seen reports getting locked unless reporter goes "Can i haz update" every 2 days. Then in such cases, Locking a report is more than fair.
3) You might be confusing this with Limited Disclosure. That is allowed in both sense by companies and hackers. Most of my reports are limited disclosure because sometimes, I have to share personal details or personal information that I don't want other hackers to see.
I support transparency that is why, till this day, all of my resolved reports for public programs are publicly disclosed. Even in Uber's case, I have disclosed bug but they were limited disclosure because it had my personal information. But if you check, Uber has allowed me to write public blogs on my reports.
So please, learn about the platform and a program works before you make any form of assumption.
An argument should be judged purely on its content. No matter who says it or what their motive is.
However it is reasonable for someone to be suspicious given that you had to create a new account to do that, and you are so vocal in this story.
Welcome to Hacker News, I see it’s your first time visiting.
It seems to me that most of the bigger corps offering bug bounties may be paying too little but at least they follow their own rules.
Apple subsequently denied Tian access to their bug bounty program because going to the press "voided the qualification for the invitation." 
I'm certainly not justifying a poor communication and response to the report, but, it seems like a very different kind of problem, and not one reflective of the kind of corporate sleaze often seen from Uber.
We want submitters to spend time finding issues for us. Thats why we set up the program. It's important to our brand that we don't have security issues and we recognize that a few thousand dollar payout to HackerOne is much cheaper than the potential legal bill if we were compromised.
No, I was too eager to jump on Uber, here.
This is mostly false except for a narrow class of products and bug classes. You could get more on the black market for an iOS jailbreak than Apple would pay you, yes. You could not get more on the black market for any of the bugs the author submitted - most likely you wouldn't find a buyer at all.
But, I'm probably wrong; the company seems to be well financed and has attracted a ton of clients that would be pissed if their investments were to disappear like that. Maybe it's just growing pains combined with fear of pissing off bad actors like Uber. They supposedly have nearly 100,000 active pentesters contracted, so they can stand to lose a little face to keep Uber happy.
I'm 100% on your side regarding the XSS issue but you can't expect them to have a list of security vulnerabilities that they've already discovered at your disposal.
Also: this is Uber. At this point, they’ve used up all their good faith. I definitely wouldn’t be taking anything they say in good faith - I still haven’t forgotten them threatening a journalist or publicly tracking the ride of a CEO for an entire room of people!
SAML has an actual logout endpoint
I think there is more to this story, it sounds like this wasn't a "Cross Site Scripting", but "Content Injection" or "Content Spoofing", a far less serious bug.
You're gonna hate me, but I would award $0 for Content Injection, it's just not a big deal ¯\_(ツ)_/¯
The second POC demonstrated the ability to evade both their WAF and XSS_Auditor.
That's pretty much the whole story.
If you couldn't, it's plausible the non-security developers incorrectly speculated it was possible?
That's false. Non-expired authentication tokens is a serious issue.
I have worked personally in numerous occasion with Uber's security team. I have helped them with many security issues and they have always been open to securing vulnerabilities, listening to hackers to make a change and even pay good payouts.
There are couple of things I want to point out to the author here:
1) You said that if these were Duplicate reports, they have to have a report number assigned. If you use HackerOne application frequently (which it does not look like you do), a report number is only assigned if it was submitted by another hacker. There are situations when internal findings are also on process on being fixed.
Uber treasure map is simply a guide. If you find something that is bypass of what they said they have, does not mean its an original finding. I work at a company where we have our own security team breaking applications every day. Sometimes hacker submit similar findings that our security team found before. In such cases, if it is a low priority issue, it will take time for us to fix because we do not prioritize it. In that case, a hacker will get a report marked as Duplicate with no report number assigned.
For the first three report that is exactly what happened.
2) Personal attack against a employee of a company will not help you anyways. You went after an employee just based on your degree. If you look closely in the industry, it is the matter of experience not degrees. I have worked with colleagues who are way smarter than me in the field and have way more experience. I never judge them based on their degree.
3) I am still not sure about your reflected XSS bug. Were you able to get a XSS actually execute? Seeing reply from Rob makes me thing you probably found a valid xss that works on an old browser. In addition, you also said you gained access to internal uChat: "I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system." but you did not prove that anywhere in your blog so I don't know if that is legit.
To conclude, considering the recent media attention at Uber due to security mishaps that occurred before, it seems to me that you are just looking for a media attention. Your title first is clickbait because 3 of your reports are duplicate so I am not sure why you expected any bounty.
To make this clear: I am a hacker in the community and an active participant in Uber's bug bounty and also in HackerOne. I have never seen Uber be unfair to hackers in the platform. Hell, to even encourage hackers, they started to pay 500 on triage.
That said, I am looking forward to your comment on this and would love to see your discussion on my points listed above.
Hopefully this clears it to you.
I guess their apathy makes sense from a short-term, bottom-line perspective, but it still seems a little unseemly.
Is there a better alternative to HackerOne for the security community?
I remember contributing to BigCommerce's crappy software just because I needed it to actually do it's job (despite the fact that my boss was paying their enterprise rate). I got shitty responses from their devs and nothing got fixed when I forked and submitted patches. I kept and then hid my working fork and never looked back.
Yeah, a company can fix it's own problems. Open source, perhaps... Helping a profitable business for nothing? Never again.
"we have contacted the Uber App Sec team and they have confirmed with us that these are not security issues that are in scope on their program."
Contacting the other party and reporting back what they say is not what is meant by mediation. This is underscored by the next sentence:
"I understand that this can be a disappointment but I can assure you that they looked at this report and gave it the proper attention it deserved." [my emphasis.]
Until, that is, someone shines a light on said immoral behavior for the public to see. Then it tends to have an effect, small as it may usually be.
I realize this can seem like a cynical take, but if you look at the devestation to our planet, and even human life, I think you can see it's an attempt to be accurate, not cynical.
The people who run a corporation can struggle to maintain a moral direction, but that aim is orthogonal to the goals of the firm and when a conflict arises, it's "logical" for the company to replace whoever diverts it from its goal.
Just like this one, his story back then didn't quite add up either.
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize.
That "says" can be extended to "says, does, is". What you posted has a lot of indignation but doesn't come close to passing the "strongest plausible" test. Maybe you don't owe better to a corporation, but you owe better to this community if you want to post here.
And yes, I know you were referring to people who drive for Uber.
For many people, the process of owning and driving a car doesn't make overall sense, which is why they pay others to do it for them.
I don't see anyone complaining about how maids have to, oh my gosh, clean houses.
The point is that its far less profitable than it seems,
is very stressful, and has variable (unstable) income which further adds to the stress. See for example Uber The Game  based on real life examples.
> I don't see anyone complaining about how maids have to, oh my gosh, clean houses.
Well, of course they don't complain about that here. That'd be offtopic.
Part of the problem with issues like these is that if they don't affect you, why bother caring? Reading about it? Investigating the issue? You're not a maid, so why would you bother? You not enough on your plate as it is making your own deadlines and taking care of your family and and... which creates apathy.
I happen to know that regarding maids, and I won't speak for all hotels, but I happen to know from a series called RamBam  that at least in 2016 the Bastion and Ibis hotels in Amsterdam, cleaning service profession ("hotel maid") was 1) very stressful 2) paid by amount of rooms being cleared 3) a very low amount of minutes per room is being accounted 4) if you don't make it (setback of any kind), tough luck, you get paid less or you gotta work longer. Its a job you would only get if you can't get any other, and you desperately need the money. The company who hire know that, so the employees get exploited.
If that's still the case, if its more widespread, I don't know...
Cause what happens all too often in situations like these is when companies have shady, illegal, immoral behavior they resort to ostrich politics until they get exposed and it causes public uproar (in US, as a foreigner, I could think about say, Consumer Reports, or a John Oliver broadcast, or news about X in regular media). Then they start with damage control, but not necessarily with real steps to solve the issue. Just the symptom that the public perceives. Examples of damage control could be empty promises, solving the issue of the specific complaint of that one user, more empty promises, a bunch of excuses, some technicalities or pseudo-intelligent speech, yet more empty promises and excuses, shifting the blame, and all kind of other fallacies. It precisely describes what Uber did until a big change occurred (they got a new CEO). Heck, I've seen Uber employees exercise damage control on HN! Another good example is the #metoo debacles where people deny the allegations until the proof stacked up too high.
 https://nl.wikipedia.org/wiki/RamBam#Seizoen_5 (see 5.2)