Skip to main content

I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead

posted onSeptember 15, 2019
by l33tdawg
HackerNoon
Credit: HackerNoon

This post is about an account takeover vulnerability on Uber which allowed attackers to take over any other user’s Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. I was able to enumerate any other Uber’s user UUID by supplying their phone number or email address in another API request.

It allowed an attacker to track the victim’s location, take rides from their account, etc. by compromising the account using the leaked access token of Uber mobile application. This also permitted takeover of Uber driver, Eats accounts.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th