Kevin Roh bio photo

Kevin Roh

Bug Bounty Participant

Email Twitter Github

I am back with another bug I found on Uber.

As you all know Uber’s bug bounty program went public and some changes were made to their policy.

Medium Issues ($3,000) - Reflected Cross-site Scripting (XSS), most Cross-site Request Forgery (CSRF) issues, access control issues which do not exposed PII but affect other accounts, rate limiting issues, account validation bypasses (being able to change driver picture, etc). Any vulnerability which allows the bulk lookup of user UUIDs (e.g. turn an auto-incrementing ID into a UUID, turn an email into a UUID).

Uber has updated their program on April 14 2016.

Removed “rate limiting” from Medium issues description. It is always at our discretion how much to reward an issue and we do so based on the impact to ubers customers, data, code and employees. Our motivation is to reward as much as possible for great issues. That said the payout ranges below are intended as rough guidance on how we categorize issues, not a strict rubric.

What caught my eye was Uber was looking for rate limiting issues. Therefore, I decided to think where in Uber requires rate limiting or where does Uber have rate limitations set in place? The first place I thought about was the Uber drivers tax information, where it requires the driver to enter their last 4 digits of their social to obtain their 1099-K tax form.

When a Uber driver wants to view their 1099-K tax form they can go to https://partners.uber.com/tax_information

So initially the driver will be required to enter the last 4 digits of their social security or TIN #

The issue here was there was no rate limiting set in place allowing the user to brute force from 0000-9999 which would probably take a matter of a couple of seconds.

But if you noticed, you will see an error if you get the last 4 digits of the social incorrect you will get this error.

Invalid entry, please retry with SSN ending in xx-xxx-xx25 or click here if you are unable to validate your tin.

Now with that information instead of using brute force and enumerating from 0000-9999 we can just go through 00-99 because we have the last 2 digits of the social already.

Once we find the correct last 4 digits we will now have access to the drivers

  • Name
  • Address
  • Social Security Number
  • Total Pay

Within a couple of days Uber responded fixing the rate limiting issue by requiring the user to enter the last 6 digits of their social AND only allowing 3 attempts before timing the user out for an hour.

Also the social security number shown on the 1099-K tax form no longer shows the entire SSN but instead only the last 4 digits.

Overview

  • Requires an account takeover
  • Tax information can be retreived by brute force
  • Uber requires the last 6 digits of the social security number
  • Uber has reverted back to only requiring the last 4 digits of your social security number
  • Uber set rate limiting in place. Only allowing 3 attempts
  • Tax information only shows the last 4 digits of the social security number now.

In the report @notcollin informed me that they are mostly looking for rate limiting issues relating to:

Our intention in describing it as a medium issue was around cases letting someone scrape and download all uber users emails or something like that.

Uber has resolved this issue and a bounty was given.