Thursday, May 18, 2017

vulnerability in Uber allowed password reset

The Italian security expert Vincenzo C. Aka @Procode701 has discovered 7 months ago a critical vulnerability in UBER platform that allowed password reset for any Uber account.
The researcher reported the ‘Improper Authentication’ vulnerability through the company Bug Bounty program operated by Hackerone.
“With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.” reads the summary published UBER.
“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”
The Italian expert has discovered a serious problem in the password reset process that could be exploited to generate an authentication token “inAuthSessionID” that could be used to change the password for any account.
I contacted the experts for further details and he told me that just sending a password reset request using a valid email address of any Uber account, the reply included the session token “inAuthSessionID.” The Uber platform was generating a specific session token every time a user was sending password reset email.
UBER Improper Authentication flaw
Once obtained the session token “inAuthSessionID” it was possible to change the password using the standard link that is present in the change password form.
  1. https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email  /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1 
Host: auth.uber.com 
{ "init": false, 
   "answer": { 
      "type": "PASSWORD_RESET_WITH_EMAIL", 
      "userIdentifier": { 
          "email": "xxxx@uber.com" 
      } 
   } 
}
Reply
HTTP/1.1 200 OK 

{ 
     "inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28", 
     "stage": { 
         "question": { 
                       "signinToken": "", 
                       "type": "VERIFY_PASSWORD_RESET", 
                        "tripChallenges": [] 
                     }, 
                     "alternatives": [] 
      } 
}
The impact of the vulnerability is severe, it allowed a hacker to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.
Below the timeline of the vulnerability:
October 2, 2016 – Bug reported to the company
October 4, 2016 – Flaw Triaged
October 6, 2016 – Flaw Resolved
October 18, 2016 – Researcher rewarded with $10,000 USD.

0 comments:

Post a Comment