Posted this as a response on Medium but got blocked cause I guess he just wants yes men around lol:
“I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system.”
Where’s the proof? I don’t see any whatsoever. I highly doubt that you were actually able to bypass the OneLogin because if you did, they’d definitely pay out and it’d be an actual issue rather than some crappy bugs.
Lack of certificate pinning IS NOT a critical issue. Critical issues are code execution, file read, etc.
The odds of you actually guessing UUIDs are super low and pretty difficult, they did the right thing in closing as informative. You’d have to try “~ 10²⁹ values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second.” You claimed their PRNG was broken but had no evidence or support to back it.
“Are you seriously the Program Manager for Uber’s Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting?” — you’re a complete moron, glad you know how to personally attack people, Uber definitely had the right to ban you from their program.
Programs CANNOT delete comments from HackerOne Reports (as you claim in https://hackerone.com/reports/293359)
Uber DEFINITELY made the right choices in closing your reports as informative, but go ahead, fool yourself
“I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system.”
Where’s the proof? I don’t see any whatsoever. I highly doubt that you were actually able to bypass the OneLogin because if you did, they’d definitely pay out and it’d be an actual issue rather than some crappy bugs.
Uber DEFINITELY made the right choices in closing your reports as informative, but go ahead, fool yourself