Vulnerability Management

How I could’ve ridden for free with Uber

This post is about a critical bug on Uber which could have been used by hackers to get unlimited free Uber rides anywhere in the world.

Anand Prakash

Written by Anand Prakash

January 26, 2018 | 2 min read

This post is about a critical bug on Uber which could have been used by hackers to get unlimited free Uber rides anywhere in the world. This post also explains a few best practices while integrating payment gateways.

About Uber Technologies

Uber Technologies Inc. is an online transportation network company, headquartered in San Francisco, California, with operations in 528 cities worldwide. The company operates in 785 metropolitan areas worldwide. As per Bloomberg’s report, Uber has a valuation of over $100 billion.

About the Vulnerability

Users can create their accounts on Uber.com and book a ride. When the ride is completed a user can either pay cash or charge it to their credit/debit card. But, by specifying an invalid payment method (for example abc, xyz, and so on), I was able to ride Uber for free.

To demonstrate the bug, I got permission from the Uber Team and took a free ride in India. I wasn’t charged for any of my rides, using the invalid payment method.

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1 Host: dial.uber.com {“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,
“product_id”:”db6779d6-d8da-479f-8ac7–8068f4dade6f”,”payment_method_id”:”xyz”}

Steps to Reproduce

  1. Replayed the above request with random characters as payment_method_id.
  2. The ride was free as the transaction was completed even without a valid payment method.

Video Proof Of Concept:

Thanks to the Uber Security team for fixing this quickly.

Disclosure Timeline

Aug 22nd, 2016: Vulnerability Report to Uber.

Aug 26th, 2016: Uber requested more information about the bug.

Aug 26th, 2016: Took a free ride and replied with ride details

Aug 27th, 2016: Vulnerability fixed by Uber.

Sep 10th, 2016: Rewarded with $5000 bounty by Uber.

Takeaways

As a developer, you should always take care of the below test cases when integrating payments:

a) Verify if the payment was successful or failed by doing a server to server request to the payment gateway or verifying checksum to the payment gateway provider.

b) Always validate the amount of the item with the amount which was paid by the user to the payment gateway.

c) Validate currency in the payment API calls. For example, the attacker can pay 50 IDR for a 50 USD item.

d) If you are storing credit cards/debit card information, then always check for authorization if an identifier is being passed in one of the API requests.