Uber Bugs Allowed Hackers to Gather Details on Rides, Drivers and Passengers
Uber is in the process of fixing a slew of security bugs disclosed by security firm Integrity, who discovered and reported 14 issues it found on the company's websites and mobile applications.
The security firm only published details about six of these bugs, as they're waiting on Uber to patch four more.
The first issue they discovered had the potential to launch brute-force attacks against Uber's promo code feature panel coming from Uber drivers themselves.
Researchers discover 1,000 active promo codes
The researchers found over 1,000 active promo codes by trying countless random promo code combinations and even discovered a ERH (Emergency Ride Home) code that would have added £'s to each driver's fair earnings.
The second issue they discovered allowed researchers/drivers to extract user details via the mobile app's Help section, which, in turn, enabled them to get the victim's email address.
The third bug manifested with UberPool where users share the fare. Researchers said they were able to get the driver and invitee's UUID and then request private information like names, pictures, location, status, rating, phone numbers, and more.
Security firm discovers a method for adding rogue Uber drivers
The fourth problem was in the Uber app's driver activation process. In order for drivers to access a specific area of the Uber app reserved for them, they need to ask the company to activate their account. Researchers discovered that, by toggling the "isActivated" parameter to "true," they could add rogue drivers to the service.
A fifth issue allowed researchers to access a driver's waybill section, from where they had access to the driver's name, license plate, car model, last ride history, and much more. Researchers did not publicly disclose all details about this bug because it also allowed them to list the full path of the driver's previous trip.
The sixth issue is derived from the third. Once the researchers got their hands on a user UUID, they were able to get information about that person's trips, in great detail, enough to plot out a map.
Source: News Softpedia.
Question: When is a meter, not a meter ?