Ridesharing company Uber recently patched a vulnerability in its site that could have allowed an attacker to log into some “.uber.com” sites without a password and further compromise its internal network.
Uber awarded Finnish security researcher Jouko Pynnönen $10,000 for discovering the flaw last month, equalling the highest bounty the company has paid out since it launched the program earlier this year.
The exploit had two parts, according to Pynnönen, one which allowed him to bypass the system Uber uses for employee authentication, OneLogin, and another that could have let an attacker compromise Uber’s internal network, hosted on Atlassian’s Confluence collaboration software.
Pynnönen, who works for the firm Klikki Oy, told Threatpost on Tuesday that the login bug he found could be used to compromise a server that uses WordPress – like Uber’s PR site, newsroom.uber.com.
According to the researcher, the WordPress plugin shipped by OneLogin contained a bug that allowed an attacker the ability to supply any username, email address, name or role they wanted.
“If the username doesn’t already exist in the WordPress database, then the plugin will create a new user,” Pynnönen wrote in his overview of the bug on HackerOne.
On one site, eng.uber.com, he was able to create a “Subscriber” account, while on another, the newsroom.uber.com site, he was able to create an “Administrator” account, simply by guessing the role’s name.
After he had gained administrator privileges on the Newsroom site, he discovered that he’d be able to go on and attack the internal site as well, since the bulk of the pages on that internal site, team.uberinternal.com, refer to a script hosted on the Newsroom site.
The second part of Pynnönen’s vulnerability hinges on the ability to modify that JavaScript file, adrum.js, to compromise Uber’s internal network.
According to the researcher, an attacker could have achieved remote code execution via the compromised site, because JavaScript can be injected from the Newsroom site into the Confluence environment. Pynnönen described a specific example in which after it’s loaded, an add-on/plugin containing code could be installed, and in turn a backdoor servlet could be created.
Uber was quick to address the issues – fixing them both in a day – and acknowledged Pynnonen’s work by rewarding him with the company’s maximum bounty. The high payout was due to the chained JavaScript source, something Uber admits “elevates the impact” of the bug. Pynnönen privately reported the issues at the beginning of May, but the corresponding bug reports didn’t go public on HackerOne until Monday.
It was the second time Pynnönen was rewarded a $10,000 bounty this year for digging up a critical security bug. In January, Yahoo disclosed that it had patched a critical vulnerability in its mail service the previous month that Pynnönen discovered which could have given attackers complete control of a user’s account.
Uber’s bug bounty program got off the ground and graduated from private beta mode in March but until now the company had only awarded $10,000 to a researcher on one occasion. In March, shortly after the program’s inception, a researcher who goes by the handle Orange discovered a remote code execution vulnerability in its rider site.
Pynnönen has been skilled at finding bugs that affect the ride-sharing app since the program debuted. He’s filed 13 bug reports, primarily RCE, CSRF, XSS, and SQL injection vulnerabilities that affect WordPress components used by the service, and is one of the top reporters on the company’s HackerOne page.