Friday, 3 March 2017

How anyone could have used Uber to ride for free!

Note: This is being published with the permission of Uber under the responsible disclosure policy. The vulnerability was fixed in August 2016.

Summary:

This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account.

Description:

Uber Technologies Inc. is an online transportation network company headquartered in San Francisco, California, with operations in 528 cities worldwide. Users can create their account on Uber.com and can start riding. When a ride is completed a user can either pay cash or charge it to their credit/debit card.
But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free. 

For demonstrating the bug, i took permission from Uber Team and took free rides in United States and India and i wasn't charged from any of my payment methods. 

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1 Host: dial.uber.com {"start_latitude":12.925151699999999,"start_longitude":77.6657536,
"product_id":"db6779d6-d8da-479f-8ac7-8068f4dade6f","payment_method_id":"xyz"}

Steps to reproduce:

1) Replayed the above request with random characters as payment_method_id.

2) Ride was free.

Video Proof of concept:

Thanks to uber team for fixing this quickly.

16 comments :

  1. congrats. hope you are the best bounty awardee in India. Kudos

    ReplyDelete
  2. what sw did you use to see the http traffic?

    ReplyDelete
    Replies
    1. Looks like he was using Burp Suite, it is a simple tool that hooks into the browser as a proxy.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. WOW Super, You are Inspiration to current and next generations.

    ReplyDelete
  5. Best wishes and wish you a successful future...:)

    ReplyDelete
  6. Hey Anand. Congrats (y) Can I contact you via mail or phone please? I would like to discuss something with you. Ot would be great if you could share your mail id or phone number :)

    ReplyDelete
  7. Nice Anand !! BTW, he used Burpsuite Pro Tool :)

    ReplyDelete
  8. I am a 14yr old white hat hacker

    ReplyDelete
  9. This post is around an intriguing bug on Uber which could have been utilized to ride for nothing anyplace on the planet Homework help websites Assailants could have abused this by taking boundless free rides from their uber account.

    ReplyDelete