Uber forks over $10K bounty for login bypass flaw

Researcher Jouko Pynnönen collected $10,000 for uncovering a login bypass vulnerability.
Researcher Jouko Pynnönen collected $10,000 for uncovering a login bypass vulnerability.

Finnish researcher Jouko Pynnönen  recently snagged a $10,000 bounty from Uber for discovering a login bypass vulnerability.

In a post on Hackerone.com, Pynnönen said the bug in OneLogin SAML-SSO let anyone “login without a password or other authentication.”

When an attacker supplies a username – along with an email address, name and a role – that isn't in the WordPress database, “the plugin will create a new user (if the provisioning setting is on),” the researched wrote. But “it looks like in order to gain administrator privileges the attacker has to guess some information - a role name such as "administrator", or the email address or username of an existing administrator,” Pynnönen said.

When he tried to guess the information on eng.uber.com, the researcher said he couldn't uncover the necessary data to gain administrator privileges.

“Therefore [I] was able to create only a ‘subscriber' level account,” he said. “On newsroom.uber.com the role name apparently was simply ‘administrator' so I got that privilege on the system. Some other plugin settings may affect this behavior too.”

Uber notified the researcher in May that it was awarding him its maximum bounty “due to the chain with the shared JavaScript with team.uberinternal.com. We recognized the chained JavaScript source elevates the impact in this case (and rewarded this bug accordingly).”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS