Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A critical Improper Authentication vulnerability in Uber allowed password reset for any account

An Italian expert discovered a critical Improper Authentication vulnerability affecting the UBER platform that allowed password reset for any account. The Italian security expert Vincenzo C. Aka @Procode701 has discovered 7 months ago a critical vulnerability in UBER platform that allowed password reset for any Uber account. The researcher reported the ‘Improper Authentication’ vulnerability through the company […]

A critical Improper Authentication vulnerability in Uber allowed password reset for any account

An Italian expert discovered a critical Improper Authentication vulnerability affecting the UBER platform that allowed password reset for any account.

The Italian security expert Vincenzo C. Aka @Procode701 has discovered 7 months ago a critical vulnerability in UBER platform that allowed password reset for any Uber account.

The researcher reported the ‘Improper Authentication’ vulnerability through the company Bug Bounty program operated by Hackerone.

“With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.” reads the summary published UBER.

“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”

The Italian expert has discovered a serious problem in the password reset process that could be exploited to generate an authentication token “inAuthSessionID” that could be used to change the password for any account.

I contacted the experts for further details and he told me that just sending a password reset request using a valid email address of any Uber account, the reply included the session token “inAuthSessionID.” The Uber platform was generating a specific session token every time a user was sending password reset email.

UBER Improper Authentication flaw

Once obtained the session token “inAuthSessionID” it was possible to change the password using the standard link that is present in the change password form.

UBER Improper Authentication flaw

  1. https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email  /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1 
Host: auth.uber.com 
{ "init": false, 
   "answer": { 
      "type": "PASSWORD_RESET_WITH_EMAIL", 
      "userIdentifier": { 
          "email": "xxxx@uber.com" 
      } 
   } 
}
Reply
HTTP/1.1 200 OK 

{ 
     "inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28", 
     "stage": { 
         "question": { 
                       "signinToken": "", 
                       "type": "VERIFY_PASSWORD_RESET", 
                        "tripChallenges": [] 
                     }, 
                     "alternatives": [] 
      } 
}

The impact of the vulnerability is severe, it allowed a hacker to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.

Below the timeline of the vulnerability:

October 2, 2016 – Bug reported to the company
October 4, 2016 – Flaw Triaged
October 6, 2016 – Flaw Resolved
October 18, 2016 – Researcher rewarded with $10,000 USD.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Improper Authentication flaw, hacking)

[adrotate banner=”13″]