UBER Authentication Vulnerability found
Category : Blog
UBER Authentication Vulnerability found that allows anyone to change anyone’s Uber account password without any authentication. Vincenzo C., an Italian security expert who is popular on Twitter as @Procode701, has discovered a critical Authentication Vulnerability in UBER by which anyone can reset the password for any account.
The company held the Bug Bounty program which was operated by Hackerone where the researcher found the ‘Improper Authentication’ vulnerability.
“With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account”, explained by the UBER.
“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”
The vulnerability in the reset password could be exploited to generate an authentication token “inAuthSessionID”, and then anyone could use this to change the password for any account found out by the security expert.
Here is the UBER Improper Authentication flaw,
To change the password for any account you just need to obtain a session token “inAuthSessionID” and then using the standard link that is present in the change password form you can easily change the password.
https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1
Host: auth.uber.com
{ “init”: false,
“answer”: {
“type”: “PASSWORD_RESET_WITH_EMAIL”,
“userIdentifier”: {
“email”: “xxxx@uber.com”
}
}
}
Reply
HTTP/1.1 200 OK
{
“inAuthSessionID”: “cdc1a741-0a8b-4356-8995-8388ab4bbf28”,
“stage”: {
“question”: {
“signinToken”: “”,
“type”: “VERIFY_PASSWORD_RESET”,
“tripChallenges”: []
},
“alternatives”: []
}
}
The effect of the vulnerability is very critical. It allow a hackers to access any account and any user’s personal data ( ID Card, banking data, Driver License), including financial one.
On the mirror server, the installer file download.handbrake.fr (HandBrake-1.0.7.dmg) was replaced by a malicious file, which gives the hacker root access privileges to the system. The malware is a form of OSX.PROTON. In February, Apple had issued an update to XProtect to account for the original Proton. The latest version should automatically download for more users.
According to the Judge of the Central District Court, without authorisation he had obtained login credentials and accessed the records.
Debenhams stated, “Our communication to affected customers includes detailing steps that we have taken and steps that those customers should take”.
AMT is a tool that allows an authorized user to remotely manage a machine, giving serial access, with the right drivers. It can offer a remotely experienced desktop. In most cases, AMT requires the user authentication with a password but this vulnerability essentially find a way around that process, giving the keys to the kingdom to anyone with a copy of Metasploit.
“There is no data leak and this particular report does not pertain to UIDAI,” said A B P Pandey, CEO of UIDAI while briefing to one of leading national dailies.
When he was arrested Google and Facebook were not named as the victims, but 27 April, according to Fortune, an investigation company has confirmed the victims’ are none other than Google and Facebook.
