Finnish researcher Jouko Pynnönen recently snagged a $10,000 bounty from Uber for discovering a login bypass vulnerability.
In a post on Hackerone.com, Pynnönen said the bug in OneLogin SAML-SSO let anyone “login without a password or other authentication.”
When an attacker supplies a username – along with an email address, name and a role – that isn't in the WordPress database, “the plugin will create a new user (if the provisioning setting is on),” the researched wrote. But “it looks like in order to gain administrator privileges the attacker has to guess some information - a role name such as "administrator", or the email address or username of an existing administrator,” Pynnönen said.
When he tried to guess the information on eng.uber.com, the researcher said he couldn't uncover the necessary data to gain administrator privileges.
“Therefore [I] was able to create only a ‘subscriber' level account,” he said. “On newsroom.uber.com the role name apparently was simply ‘administrator' so I got that privilege on the system. Some other plugin settings may affect this behavior too.”
Uber notified the researcher in May that it was awarding him its maximum bounty “due to the chain with the shared JavaScript with team.uberinternal.com. We recognized the chained JavaScript source elevates the impact in this case (and rewarded this bug accordingly).”
