Uber is in the process of fixing a slew of security bugs disclosed by security firm Integrity, who discovered and reported 14 issues it found on the company’s websites and mobile applications.

The security firm only published details about six of these bugs, as they’re waiting on Uber to patch four more.

The first issue they discovered was the potential of launching brute-force attacks against Uber’s promo code feature in the riders.uber.com panel for Uber drivers.


Researchers discover 1,000 active promo codes

The researchers found over 1,000 active promo codes by trying countless of random promo code combinations and even discovered a $100 ERH (Emergency Ride Home) code that would have added $100 to each driver’s fair earnings.

The second issue they discovered allowed researchers to extract user details via the mobile app’s Help section, which in turn allowed them to get the user’s email address.

The third bug manifested when a user asked a second user to split the ride fare. Researchers said they were able to get the driver and invitee’s UUID and then request private information like names, pictures, location, car type, status, rating, phone numbers, and more.

Security firm discovers a method to add rogue Uber drivers

The fourth problem was in the Uber app’s driver activation process. In order for drivers to access a specific area of the Uber app reserved for them, they need to ask Uber to activate their account. Integrity researchers discovered that by toggling the “isActivated” parameter to “true,” they could add rogue drivers to the service.

A fifth issue allowed researchers to access a driver’s waybill section, from where they had access to the driver’s name, license plate, car model, last ride history, and more. Researchers did not disclose all details about this bug because it also allowed them to list the full path of the driver’s previous trip.

The sixth issue is derived from the third. Once the researchers got their hands on a user UUID, they would have been able to get information about that user’s trips, in great detail in order to plot out a map.

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲