Hacking

Hacking Uber – Experts found dozen flaws in its services and app

Researchers discovered more than a dozen flaws in Uber app and websites, many of them allow hackers to access driver and passenger info.

Security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.

One of the vulnerabilities exists in the promotion codes, the riders.uber.com website did not implement security mechanisms to defeat brute-force attacks, allowing attackers to try all possible combinations of strings until the promotion codes haven’t been discovered.

The researchers also found a $100 ERH (emergency ride home) code that could be applied on top of other promo codes.

“Uber also gives an option to customize promotion codes, and since all the default codes began with the word “uber”, it was possible to drop the time of the brute force considerably allowing us to find more than 1000 valid codes.” states the blog post published by Integrity.

Initially this issue was not considered valid because the promotions codes are supposed to be public and be given by anyone. This was true until finding an $100 ERH (Emergency Ride Home) code which they (uber-sec team) had no knowledge about. This ERH codes work differently from all others since even if a promotion code is already applied this ones can still be added.”

UBER app promo codes hackUBER app promo codes hack

The researchers also discovered a security issue that resides in Uber app, in particular in the feature that allows Uber customers to split the fare with other clients.

The experts discovered that the response sent by Uber when users request to split the fare contains the unique identifiers (UUIDs) of both the driver and the passenger. The researchers used the UUID to obtain the associated user’s private email address leveraging on requests made to Uber servers via the Help feature implemented in the Uber app.

Another issue found by the research is the possibility to use the Uber Partner/Driver App without being Activated. Normally, even if users create a driver’s account, it remains not activated until Uber completes the verification procedure that includes the exam of the driver documents.

Users can use the mobile app after their account is validated by the company the value of the variable called “isActivated” is set to “true. The experts discovered that attackers can change the value of the variable to allow them the access to the app, once inside the app they could see the driver’s info (name, license plate, and information on the last passenger and their trip) simply by knowing the targeted driver’s UUID. The UUID can be obtained by requesting a car and then cancelling the order – the UUID is included in the request.

How to discover the UUID of a driver?

Simple, request a car and then cancel the order. The UUID is one of the fields in the request.

Among the issued not yet disclosed, there is the possibility to access the full path of a driver’s trip.

The knowledge of the UUID could be also exploited by hackers to impersonate a user to access his list of trips, including path, driver details, cost, and locations.

The group closed the post on their activity by highlighting the importance of bounty programs to have more secure applications. The asked Uber to provide testing accounts to speed up the testing activities.

“This was our first bug bounty program that we really dedicated some time, and we think it had a positive outcome. At the beginning we weren’t too confident with this program because a lot of people had already tested Uber in the private program, but after some time and when we started to find some good vulnerabilities it gave us the drive to continue and see where it could lead us.” added the team.

“As a final note to our article, we want to say that Uber should provide testing accounts to bug hunters. During our tests we did have our accounts being locked due to the nature of our tests and to unlock them, it was a bit of a nightmare”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Uber app, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

2 hours ago

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

18 hours ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

21 hours ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

1 day ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

2 days ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

2 days ago