Uber Promo-Codes Predictable Vulnerability

Hello Everyone!
Today i will talk about a high risky vulnerability in Uber which allows an attacker to use uber service for free by using other people promo-codes


Uber has a feature that allows the usage of promotion codes. This codes can be given by other users or companies. The application URL get.uber.com/invite/<code_name> had this feature which allows any user to invite another user to join uber and get one or more than one free rides based on the promo-code value and it's amount and currency of the country, so after i tried different usernames which begin with word uber+<code_name>  and brute-forced the request with different names i realized that the application didn’t had any kind of protection against brute-force attacks, which helped me to find many different promotion codes with high amounts in dollar currency between 5,000$ to 25,000$ and had different number of free rides between one to three rides. I guess these codes may be related to another type of vehicles for example : a helicopter don't know because these amounts is too high for cars.

The image below demonstrates promo-codes brute-force attack and different codes were found their amounts between low to high amounts.

an attacker can also filter the brute-force by amounts as below :

since all the default codes began with the word “uber” and can be customized so i was able to brute force and found more codes.

For promo-codes there are two types :

1. Invite promo-codes which supposed to be public for sign-up.
2. Invite codes called "Emergency Ride" codes. supposed to be private and hidden.

The brute-force explained above was the type number (1) but still there's a high risk what if an attacker can found a promo-code related to number (2) and that's what happened with below hackerone report : https://hackerone.com/reports/125505 so he found a promo code by coincidence allowed him to use it without signing up with a new user. so they fixed the brute force vulnerability in payment page by applying the rate-limiting and they left another two areas of application still vulnerable one of them which i explained above and the second one in the "profile" page in code customization which was discovered by another researcher "Ali Kabeel".

DISCLOSURE TIMELINE

April 25, 2016 – Bug reported to Uber
March 27, 2016 – Uber’s team changed status to Informative and they considerd this is out of scope !! and can report to a fraud !! as below :

This is the most weird reply i have ever seen in my life !!! r u drunk !! this is not an incident to report to fraud team this is a vulnerability if ignored it can lead to a lot of fraud incidents that's the difference , so after 2 months i decided to update my report with more explanation and details including my new finding about high amounts codes ex: 5000$ and 25,000$ because i found that the following report got rewarded https://hackerone.com/reports/125505 and it was the same vulnerability i reported but in different place so how !!!! in addition to they didn't mentioned any out-of-scope or fraud !!! as below :

In the beginning they closed his report as information like what happened to me but after explanation they got it and understood the risk they even didn't have any idea about hidden codes as below:

If they don't know about existence of hidden codes so who should supposed to know!!!!

Anyway after i updated my report i got the same reply and they changed status to duplicate !!

June 18, 2016 –  Provided new information
June20, 2016 – Uber’s team changed status to Duplicated !!! so why not duplicated from the initial report. That's mean !!! they're unstable and they can't understand the reports.

               So i recorded a video as proof-of-concept to public disclosure this vulnerability 

Finally i'm not the only researcher who reported this vulnerability and that's mean we are all agreed on this is a vulnerbility , Ali Kabeel a security researcher he also reported the same vulnerability but in "Third" different place in the application which i mentioned above it exists in riders.uber.com/profile URL code customization feature. as below:

But brute-forcing via above URL in code customization has limitation  between two status valid and not valid results only without amount of the promo-code there are two response codes which distinguish between valid and not valid as below:

1. 200 means (invalid code)
2. 406 means (valid code and already existing for someone else)

DISCLOSURE TIMELINE

June 18, 2016 – Bug reported to Uber
June 20, 2016 – Uber’s team changed status to Duplicate 

He also got the same reply which is out of scope and to report to fraud team !!!! so how and it was the same impact for mine and the rewarded report which mentioned above. !!!

Conclusion:

Uber security team ignored these 2 areas of the application which is still vulnerable to brute-force so it poses a risk for all users which an attacker can sign-up with valid promo-code with high amounts for more than one free ride. In addition to by coincidence attacker can get a valid (Emergency Ride) promo-codes which is supposed to be hidden and related someone else.

UPDATE:
After 6 hours of public disclosure Uber security team contact me again and they admitted that this is a valid vulnerability and already patched. Then one week later after the Patch i found that Uber mobile application is still vulnerable but in this one i was able to get more information about any rider via promo codes brute-forcing attack including the rider image, country, full-name and expired or valid promo-codes and can escalate this to perform social engineering attacks. find poc view below :)

When i reported again but this time in mobile application it was duplicate and already working on a fix.

About Author:

I'm Mohamed M.Fouad Information Security Engineer / Consultant at SecureMisr also an Independent Security Researcher from Egypt with more than 8 years of experience in web and mobile applications development, penetration testing, secure-coding, Network penetration testing, security code auditing and incident response. Conducted vulnerability assessment and penetration testing for many high-profiles companies and banks over all middle east. In addition to worked as a free-lancer with multi-national companies ex: Monster Recruitment...

I have been got acknowledgement from many of the Firms like as :
Microsoft,Oracle,Yahoo,eBay,Sony,WordPress,ESET,BitDefender,AT&T,Huawui,DropCam, Bitcasa, Get Pocket, Splitwise and so many...