This is not the first time Anand Prakash from AppSecure is disclosing vulnerability on a popular application. Previously in 2018, they had been successful in locating an issue on Tinder allowing them to login into any tinder account.
Anand Prakash, AppSecure is a top-ranked hacker (4th worldwide, 1st rank from India) on Uber’s bug bounty program and have earned more than 25 lakhs INR (35000 USD) from Uber alone till date.
Anand Prakash’s is also positioned 3rd on Twitter’s Bug Bounty program worldwide and ranked first in India.
This time, AppSecure, led by Anand Prakash and Manisha Sangwan conjointly unveiled the essential API related vulnerability which led to the leakage of client secret and server tokens of all Uber developer applications. The issue was taken under the strong vigilance of the Uber engineering team soon and rewarded them with 3.5 lakhs INR (5000 USD) bounty. – reported to Hackerpost.co
The vulnerability was pointed out particularly on riders.uber.com within which they could point out a public API endpoint of https://riders.uber.com/ using which hacker can see client secret of all Uber applications. Uber fixed it by removing the extra response from the API response.
The Uber documentation says the following:
“The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.”
To exploit this issue, attacker needs to connect any Uber application to his Uber account and then navigate to vulnerable endpoint to see the leaked data in API response.
Image: A screenshot of the notifications sent to the developers by Uber for this particular vulnerability
Steps to replicate:
Attacker connects a random Uber developer application to his account using OAuth. A few examples of Uber developer applications are IFTTT, Payfare, Bixby. It is not identified as a complicated procedure as of now.
Once the above apps are connected by the attacker to his Uber account which he/she can use against endpoint to get developer application’s confidential data and other significant information of the application using attacker’s session data.
Anand Prakash notified Uber about this vulnerability on 5th October 2018 and Uber agreed to publicly disclose it on February 8th 2019.