Pen testing outfit Integrity has published a list of eight bugs uncovered during a three-week hunt for security vulnerabilities in the Uber car-hire system.
The team began hunting for vulnerabilities shortly after Uber opened its public bug bounty programme in March.
Despite other pen testers, who participated in an invite-only programme, having gone over the system before them, the team persevered and found flaws as they dug deeper and deeper into the system.
The flaws uncovered by the Portugal-based team allowed them to identify individual drivers and passengers download their travel history. They also discovered a voucher that even Uber didn't know existed for a $100 emergency ride.
They discovered six vulnerabilities which had previously been reported to Uber: open redirect in trip.uber.com, open redirect in riders.uber.com, enumerate users via getrush.uber.com and then brute force via iOS app to get a valid account, ability to download the beta app as admin, use the partner/driver app without being activated and enumerating user IDs with phone numbers.
Eight new vulnerabilities were reported by the team (four are under embargo, not to be disclosed until later): brute force attack to get invite codes via riders.uber.com, view driver waybill via drivers UUID, get drivers private email from UUID and getting information on trips from arbitrary users.
Fabio Pires, writing for the team, said that Uber has a very good bug bounty programme – “with great payouts” – and its development team seem genuinely eager to patch any vulnerabilities as soon as possible.