Uber pays $9,000 bug bounty payoff for partner firm’s vulnerability

A security expert discovered a flaw in a ransomware protection service that opened Uber service, and many others, to cyber attacks.

The Russian penetration tester Vladimir Ivanov from the security firm Positive Technologies has discovered a vulnerability in anti-ransomware backup service Code42. The flaw could be exploited by attackers to steal data from the organizations using the services, including Uber, Adobe, and Lockheed Martin.

Ivanov discovered the XML external entity vulnerability while it was searching for flaws in the Uber service that was covered by the bug bounty program of the company.

Ivanov reported the flaw to Uber that agreed to pay him US$9,000 considering that Code42 doesn’t have a bug bounty program.

“The only option to break the service and get a bounty for pwning the [Code42] application was to find a zero day,” Ivanov says.

“[The vulnerability] could give access to backups of all users in a given company. Uber security guys were excited with this vulnerability: they contacted vendor and confirmed that this vulnerability was a zero day.”

An XML External Entity issue occurs everytime an XML input containing a reference to an external entity is processed by a not properly configured XML parser, as a result, it can cause the disclosure of confidential data, denial of service conditions and trigger server-side request forgery attacks.

Ivanov reported the issue to Uber in May through its HackerOne bug bounty, then the company informed Code42 of the flaw that promptly fixed it.

“As a proof-of-concept for Uber, I retrieved the contents of /home/ directory of the server, which was a nice impact illustration to my report at Hackerone,” wrote Ivanov.

“I like to show impact of a given vulnerability, so you don’t have to ask me twice. Given permission to show further exploitation, I quickly found the folder, where backup logs were stored. ”

Code42 asked Ivanov to wait all customers had applied the security updates to fix the flaw before publicly disclose it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Uber, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.