How we discovered Uber’s developer applications were leaking client secret and server tokens
March 10, 2021
This is being published with the permission of Uber under the responsible disclosure policy.
This post is about an information leakage vulnerability on riders.uber.com in which we identified an public API endpoint of https://riders.uber.com/profile that could send back server tokens and client secret for applications authorized by the account owner to access their Uber account.
“The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client_secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.”
This could have been easily exploited by an attacker by connecting their account to any Uber application on production and then using the profile endpoint to retrieve server tokens and client secrets of the connected application in the API response.
Uber fixed this issue by removing this data from the API response, as reported. Uber publicly notified all developers of this vulnerability and asked developers to rotate secrets on a periodic basis.
Uber is a transportation network company (TNC) headquartered in San Francisco, California. Uber offers services including peer-to-peer ridesharing, taxi cab hailing, food delivery, and a bicycle-sharing system. The company has operations in 785 metropolitan areas worldwide. Uber has a valuation of over $100 billion as per Bloomberg’s report.
How my exploit worked step-by-step
Attacker connects a random Uber developer application to their account using OAuth. A few examples of Uber developer applications are IFTTT, Payfare, and Bixby. It is not identified as a complicated procedure as of now.
Once the above apps are connected by the attacker to their Uber account, they can use against the endpoint to get the developer application’s confidential data and other significant information of the application using the attacker’s session data.
The vulnerable Uber API:
POST /api/getAuthorisedApps HTTP/1.1 Host: riders.uber.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://riders.uber.com/profile content-type: application/json x-csrf-token: XXX origin: https://riders.uber.com Content-Length: 2 Cookie: