Uber


reports in last 90 days

108

disclosed resolved issues

47

disclosed informative issues

7

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter

Information Disclosure appsecure_in Time to triage: 5 Days and 15 hours


Time to close: 1 Days and 19 hours
Resolved

Medium Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance

Business Logic Errors eequalsmc2 Time to triage: 7 Days and 20 hours


Time to close: 45 Days and 18 hours
Resolved

No rating Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers

Information Disclosure ddworken Time to triage: 2 Days and 16 hours


Time to close: 122 Days and 1 hours
Resolved

No rating Client secret, server tokens for developer applications returned by internal API

Information Disclosure appsecure_in Time to triage: 5 Days and 18 hours


Time to close: 26 Days and 3 hours
Resolved

High Open Redirect on central.uber.com allows for account takeover

Improper Authentication - Generic ngalog Time to triage: 2 Days and 9 hours


Time to close: 51 Days and 19 hours
Resolved

Low IDOR in activateFuelCard id allows bulk lookup of driver uuids

Insecure Direct Object Reference (IDOR) cablej Time to triage: 0 Days and 0 hours


Time to close: 321 Days and 14 hours
Resolved

High Subdomain takeover at signup.uber.com

Privilege Escalation ak1t4 Time to triage: 0 Days and 9 hours


Time to close: 21 Days and 1 hours
Resolved

High Chained Bugs to Leak Victim's Uber's FB Oauth Token

Improper Authentication - Generic ngalog Time to triage: 0 Days and 16 hours


Time to close: 5 Days and 18 hours
Resolved

Medium Reflected XSS POST method at partners.uber.com

Cross-site Scripting (XSS) - Reflected seifelsallamy Time to triage: 176 Days and 18 hours


Time to close: 183 Days and 19 hours
Resolved

None Physical Access to Mobile App Allows Local Attribute Updates without Authentication

Improper Authentication - Generic jigarthakkar39 Time to triage: 25 Days and 1 hours


Time to close: 78 Days and 0 hours
Resolved

None lert.uber.com: Few default folders/files of AURA Framework are accessible

Information Disclosure filedescryptor Time to triage: 22 Days and 13 hours


Time to close: 71 Days and 23 hours
Resolved

High Site-wide CSRF on eats.uber.com

Cross-Site Request Forgery (CSRF) vijay_kumar1110 Time to triage: 2 Days and 17 hours


Time to close: 15 Days and 22 hours
Resolved

Low SMS URL verification link does not expire on phone number change and lacks rate limiting

Improper Authentication - Generic hanuman1 Time to triage: 5 Days and 15 hours


Time to close: 40 Days and 20 hours
Resolved

Medium Reflected XSS in lert.uber.com

Cross-site Scripting (XSS) - Reflected hussain_0x3c Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 0 hours
Resolved

Medium XSS in ubermovement.com via editable Google Sheets

Cross-site Scripting (XSS) - Stored reptou Time to triage: 6 Days and 10 hours


Time to close: 24 Days and 20 hours
Resolved

Medium IDOR on partners.uber.com allows for a driver to override administrator documents

Insecure Direct Object Reference (IDOR) vijay_kumar1110 Time to triage: 34 Days and 5 hours


Time to close: 71 Days and 2 hours
Resolved

High Stored XSS on any page in most Uber domains

Cross-site Scripting (XSS) - Stored mdv Time to triage: 2 Days and 21 hours


Time to close: 10 Days and 0 hours
Resolved

High Lack of payment type validation in dial.uber.com allows for free rides

Business Logic Errors appsecure_in Issue was not triaged


Time to close: 4 Days and 1 hours
Resolved

Low Open Redirect in riders.uber.com

Open Redirect bobrov Time to triage: 0 Days and 2 hours


Time to close: 19 Days and 22 hours
Resolved

Medium Possibility to enumerate and bruteforce promotion codes in Uber iOS App

Brute Force r0t Time to triage: 0 Days and 1 hours


Time to close: 138 Days and 3 hours
Resolved

Low Full path disclosure on track.uber.com

Information Disclosure firs0v Time to triage: 0 Days and 15 hours


Time to close: 0 Days and 4 hours
Resolved

Medium Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/

Cross-site Scripting (XSS) - Reflected fady_othman Time to triage: 1 Days and 4 hours


Time to close: 87 Days and 22 hours
Resolved

Medium Reflected XSS on multiple uberinternal.com domains

Cross-site Scripting (XSS) - Reflected fady_othman Time to triage: 1 Days and 0 hours


Time to close: 59 Days and 15 hours
Resolved

No rating Hack The World 2017 Top 2 Bonus

None supplied nullelite Issue was not triaged


Time to close: 0 Days and 4 hours
Resolved

Medium No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts

Improper Authentication - Generic cablej Time to triage: 4 Days and 17 hours


Time to close: 228 Days and 18 hours
Resolved