I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead
Credit:
HackerNoon
This post is about an account takeover vulnerability on Uber which allowed attackers to take over any other user’s Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. I was able to enumerate any other Uber’s user UUID by supplying their phone number or email address in another API request.
It allowed an attacker to track the victim’s location, take rides from their account, etc. by compromising the account using the leaked access token of Uber mobile application. This also permitted takeover of Uber driver, Eats accounts.