A series of vulnerabilities in UberCENTRAL, a portal Uber started during the summer to help businesses facilitate rides for customers, could have leaked the names, phone numbers, email addresses, and unique ID of all Uber users.
Kevin Roh, a student who actively hunts for bugs in his spare time, discovered the vulnerabilities when he, in September and October, used two techniques to enumerate Uber userUUIDs, or universally unique identifiers. A third issue he discovered revealed the name, phone number and userUUID associated with email addresses used to register for Uber.
The issues are tied to an insecure direct object reference, or IDOR vulnerability. These vulnerabilities occur when a user record can be retrieved because it’s based on a key value that is under user control. In Uber’s case, those key values are UUIDs; alphanumeric strings of 32 characters and dashes.
“When an attacker is able to perform bulk enumeration of userUUID through an endpoint, they can then at that point perform bulk IDOR attacks against their users,” Roh explained in a blog post Tuesday.
Because Roh had uncovered Uber bugs in the past and was invited to join the company’s private bug bounty program, he could view the backend of UberCENTRAL and, in turn, uncover the bugs.
He discovered the first bug in early September. The flaw allowed him to enumerate userUUIDs via email as an admin, through a POST request. He discovered in October that he could use a similar process, via a GET request, to enumerate UUIDs. An attacker would have to be an admin in order to carry out the enumeration; they could parse through hundreds of thousands of legitimate emails however, according to Roh.
In late October, Roh discovered a third issue: he could get the system to spit out a response complete with the user’s first and last name, phone number, and email address.
another 2 vulns reported to Uber 😀
— Kevin (@rohk_infosec) October 21, 2016
While the vulnerabilities were technically in UberCENTRAL, Roh told Threatpost Tuesday that before they were fixed, information on any Uber user could have been looked up.
Roh said for an attacker, the UUIDs would only be practical in the presence of an insecure direct object reference, however.
“The admin can use any email address that is associated with Uber to view their userUUID. Except for the last vuln which revealed the name, phone number and user uuid which was associated with the email address. Which shouldn’t have happened because when the admin adds an operator, their information (name, phone number, userUUID) should only be shown once the operator logs into UberCENTRAL. But, by doing the GET request, their information was revealed even though it wasn’t shown on the web page,” Roh told Threatpost.
Uber fixed the first issue by removing userUUID from the response, and fixed the second and third issues by randomizing the userUUID it spits back out and marking the “firstname,” “lastname,” and “phonenumber” fields as NULL. Uber pushed all of the fixes in October, but Roh didn’t disclose them until this week.
It’s unclear how much the three insecure direct object reference vulnerabilities fetched Roh but bugs he previously uncovered on Uber.com and other Uber domains earned him between $500 and $1,000 per vulnerability.
An Uber spokesperson on Tuesday could only confirm to Threatpost that the bugs had been fixed and that no users were impacted. Uber doesn’t specify how much it awards for every bounty it pays out, but claims on its HackerOne page that it’s addressed 470 reports and paid $700,000 to white hat hackers since the program’s inception.
The ride-sharing company formally launched its bug bounty program in March, bringing it out of private beta mode. When it was first unveiled, HackerOne’s CTO Alex Price said transparency between the program’s participants with Uber was crucial.
“The recurring theme was that researchers would be more effective if they were treated like internal security team members, rather than be kept arm’s length as we see with most bug bounty programs,” Rice said at the time.
Roh, who’s No. 4 on Uber’s HackerOne leaderboard, has been finding vulnerabilities in Uber domains since the beginning of that program. He claims he got hooked after stumbling across licenses, Social Security numbers, and tax information for 900 of Uber’s partners on the site; Uber fixed that issue and invited him to the private beta bounty group.