Uber: Client secret, server tokens for developer applications returned by internal API

ID H1:419655
Type hackerone
Reporter appsecure_in
Modified 2019-02-08T06:28:47


@appsecure_in identified an internal API for https://riders.uber.com that could return client_secret and server token for applications authorized by the account owner to access their Uber account. We restricted the data returned by this endpoint.

Thanks for bringing this to our attention, @appsecure_in!