Satoshi Nakamoto Blog
Image default
Apps Automotive carsharing commuting founder Hack India Internet Security Security transport Uber united states

Uber fixes bug that exposed third-party app secrets


Uber has fixed a bug that allowed access to the secret developer tokens of any app that integrated with the ride-sharing service, according to the security researchers who discovered the flaw.

In a blog post, Anand Prakash and Manisha Sangwan explained that a vulnerable developer endpoint on Uber’s back-end systems — since locked down — was mistakenly spitting back client secrets and server tokens for apps authorized by the Uber account owner.

Client secrets and server tokens are considered highly sensitive bits of information for developers as they allow apps to communicate with Uber’s servers. For its part, Uber warns developers to “never share” the keys with anyone.

Prakash, founder of Bangalore-based AppSecure, told TechCrunch that the bug was “very easy” to exploit, and could have allowed an attacker to obtain trip receipts and invoices. But he didn’t test how far the access could have given him as he immediately reported the bug to Uber.

Uber took a month to fix the bug, according to the disclosure timeline, and was considered serious enough to email developers last week warning of the possible exposure.

“At this time, we have no indication that the issue was exploited, but suggest reviewing your application’s practices out of an abundance of caution,” Uber’s email to developers said. “We have mitigated the issue by restricting the information returned to the name and id of the authorized applications.”

Uber did not respond to a request for comment. If that changes, we’ll update.

Prakash was paid $5,000 in Uber’s bug bounty for reporting the bug, and currently ranks in the top five submitters on Uber’s bug bounty.

The security researcher is no stranger to Uber’s bug bounty. Two years ago, he found and successfully exploited a bug that allowed him to receive free trips in both the U.S. and his native India.

Researcher finds bug that allowed free Uber rides





Source link

Related posts

Cybersecurity Firm WISeKey Launches Blockchain-Powered ID Solution for IoT Devices

satoshi

Google Helps You Delete Your Search History

satoshi

Amenity Analytics raises $18 million for AI that parses regulatory filings and earnings calls for key points

satoshi

Reddit is raising a huge round near a $3 billion valuation

satoshi

Jobcase raises $100 million to connect blue collar workers with employers

satoshi

Uber is hiring engineers to develop self-driving bikes and e-scooters

satoshi