Uber has undoubtedly changed the taxi game forever: It’s thoroughly modern, app-based and cashless—and eliminates that whole waiting-on-a-rainy corner-for-a-free-cab thing. But it also opens users up to attack, since a drive train of vulnerabilities has been uncovered.
Three hackers have found eight holes in the Uber mobile app. Vitor Oliveira (@r0t1v), Fábio Pires (@fabiopirespt) and Filipe Reis (@fjreis) of Portugal-based consultancy Integrity said that the holes can be used to do everything from creating fake drivers via a flaw in Uber's driver account activation to creating bogus coupon codes that give drivers $100 extra in fares.
In the latter case, Oliveira, Pires, and Reis found a “litany of discount coupons using brute force checks that Uber failed to rate-limit,” according to the Register. Of those, the most valuable was a $100 Emergency Ride Home code that if applied would hand drivers a further $100 on top of regular fares.
Perhaps most worryingly, the flaws open up privacy issues because they allow rider information harvesting. One or more of them also could give bad guys access to personal information, device data, and trip histories for drivers and riders. The researchers were able to manipulate the Uber help section to find user email addresses, and were able to intercept requests during fare splits to find a passenger's picture, UUID and phone number. They were also able to find driver and passenger trip details including the full directions of fares which can be plotted on a map.
Uber is in the middle of patching the issues.
"After a couple of hours, we found out two open redirects that we reported right away," the hackers said. “From a pen-tester’s view, the security team takes this program very seriously by trying to resolve all the issues as fast as they can."
Software vulns aren’t strange passengers for Uber. Last October it fixed a software flaw which exposed the personal details of hundreds of its drivers in the US to each other. Drivers took to Reddit to complain about the blunder, which allowed them to view details including driving license, registration, Social Security numbers, tax forms and more.
One told Motherboard he found the issue when uploading a document to the site. After refreshing the page it apparently began to populate with the docs of other drivers.
Photo © Kzemon