! Uber recently finally opened up its vulnerability reward program, and encourage white-hat gate expand on the Uber online service vulnerability mining. Please with FreeBuf xiaobian together look at this a few logical loopholes the formation of“combination of Boxing” it. Information collected First, we review the Uber Company authorized to detection of the target. Can be found to be the detection range is still very wide, the basic contains the Uber company all of the Online Services. https://. uber.com/ http://. uberinternal.com/ http://petition.uber.org http://ubermovement.com iPhone Rider Application the iPhone Partner Application Android Rider Application Android Partner Application First of all, I the first of the uber Main Domain made a violent enumeration. This step is mainly to collect the Uber company under the domain name of all of the secondary domain name information. Scanning to a few of the open second level domain, I use Nmap for all of the secondary domain name list do the scan, mainly to see these second-level domain name of the Page Title, Page content, etc. ! The first of the Uber APP decompile, and then another with MobSF to the Uber APP to make a Security Monitor. ! The above collection of these information is already enough for us to do a conventional security monitoring. Vulnerability discovery Enumeration discount code Any use of the Uber people know Uber is running user input the coupon to the mortgage part of the fare, I see the riders. uber. com found that on this page there is a payment interface. In the payment interface inside and there is a coupon code for the API interface. In the actual testing process which I found Uber company and not for the API interface to take some anti-enumerated measures, thus resulting hack can be infinite to enumerate the coupon code. ! In the actual enumeration process, we find the following three return data packet length represent different meanings ! If the data length is 1 9 5 1, then the description of the coupons are valid If the data length is 1 9 3 1, then the description of the coupon does not exist If the data length is 1 9 2 1, then the description of the coupons have already expired And Uber, the company allows users to customize their own DISCOUNT CODE, all custom discount code at the beginning will have a uber words, thus resulting in a hacker can enumerate more than 1 0 0 0 a coupon code. In addition to the coupon code of the enumeration, we also found Uber company before the launch of the ERH voucher code can be repeated to add. This coupon code has 1 0 $ 0 originally have been others used, but in the enumeration process we found that regardless of whether this code has not been used, as long as your enumeration to be used. ! Then we contacted the Uber company, to bring this vulnerability to submit to them. 2 0 1 6 years 3 month 2 3 day – vulnerability reported to Uber company 2 0 1 6 years 3 month 2 3 day – Uber start review the vulnerability 2 0 1 6 years 3 month 2 4 day – we update the vulnerability details 2 0 1 6 years 3 month 2 4 day – Uber, the company continues to review the vulnerability 2 0 1 6 year 4 month 1 9 day – the Uber company has to fix the vulnerability 2 0 1 6 years 5 months 2 days – Uber, the Company paid the bounty Use the UUID to view the registered users mailbox At the bottom of the picture we can see that this is the Uber APP on a help function. But to be honest, most of our people are not going to use this thing, even know it had been there would not go to the point. But we do not represent some small portion of the people will not go. ! If you use this thing to Uber company to send some of the help request, it will reply you“we have received your request, we will contact you by the mailbox.” ! By analyzing the request data package after we found that there are two parameters to decide whether or not we can view others mailbox, these two parameters are the x-uber-uuid and uuid. By the Token parameter of the fuzz, and then change the UUID for the other person, after that you can receive someone else's mailbox number. ! You may have questions about how we obtain this UUID? The UUID is so long, it is difficult to enumerate. This behind us and then explained. 2 0 1 6 years 3 month 3 1 day – vulnerability reported to Uber 2 0 1 6 years 3 month 3 1 day – Uber start review the vulnerability 2 0 1 6 4 1 1 day – Uber start to repair the vulnerability 2 0 1 6 4 1 3, – Uber, the Company paid the bounty Enumerate the user ID and telephone number We have been trying to find the Uber company's vulnerabilities, but these vulnerabilities are often difficult to find and use. So we decided to use the APP and the WEB are called a Uber. In use process, we intercept all the request, and found some interesting things. ! When an Uber user attempts to equal shares own the Taxi costs, the Uber APP will read the user's address book, and to distinguish who register through Uber, and the returned data packet contains too much information, such as Uber driver UUID the user's UUID. We can be in the request packet the phone number for enum, then you can get a large number of UUID. We are through this method to get the UUID!