Uber: No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts

ID H1:281344
Type hackerone
Reporter cablej
Modified 2018-11-13T22:39:48


A lack of rate limiting on the "/confirm" endpoint made it possible for an attacker to add themselves to arbitrary business.uber.com accounts by brute forcing confirmation codes. If they were able to successfully brute force the correct confirmation code, this would allow an attacker to take rides on behalf of a victim company. Some businesses use a geofence for their Uber for Business account, so it was not possible to attack all businesses.