-
Notifications
You must be signed in to change notification settings - Fork 169
/
Copy path122791.txt
37 lines (25 loc) · 1.58 KB
/
122791.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
ReportLink:https://hackerone.com/reports/122791
WeaknessName:Violation of Secure Design Principles
Reporter:https://hackerone.com/rohk
ReportedTo:Uber(uber)
BountyAmount:
Severity:
State:Closed
DateOfDisclosure:13.06.2016 21:55:40
Summary:
On `riders.uber.com` when the rider changes their information an email will be sent to their email informing them a change has been made on their rider account.
The rider can change their first name to anything within 45 characters and once the change has been made they can add an email to their account. But once they add the email, a confirmation email will be sent but will contain the riders first name. If the rider changed their first name to `Rider. Visit www.yahoo.com for more info.` the URL posted will have an active hyperlink.
`Hi Rider. Visit www.yahoo.com for more info.,
Please visit this link to confirm your email address:
https://riders.uber.com/confirm-email?email_token=
Love,
Team Uber`
PoC:
This issue does reply on some type of `social engineering`
The attacker can purchase a short domain and put a message within 45 characters as their first name.
Once they have done that they can start adding and/or replacing emails a bunch of times to send mass emails and these emails will be coming from `support@uber.com`
Once the person receiving the emails clicks on the link, they will be redirected to some malicious website.
Video: https://www.dropbox.com/s/84e7oftmcdmb4sw/emailhyperlink.mov?dl=0
Possible Fix:
Do not allow links to be set as the riders names.
Do not allow special characters (. , / \ etc.)