A GROUP OF Portuguese security researchers has hitched a ride to cash money by going along with the Uber bug bounty programme and finding the taxi 2.0 company some fixable problems.
The group at Integrity Labs said that it seized on the opportunity to pull the high-profile company apart as soon as it saw that cash was on offer. It had early, but poor, results.
"Uber decided to open their bug bounty programme to the public, and in Portugal, Uber was almost a daily issue in the news because of the taxi drivers, so we dove right into this programme," said Integrity Labs in a blog post.
"After a couple of hours, we found two open redirects that we reported right away. This could be the start of something good (we thought), but both issues were already reported by other researchers."
Effort is its own reward (although cash also works) and the team pushed ahead. It assessed the scale of the Uber payout system, which was controversially rewritten at one point, and looked to see what was available.
"To gather more information about Uber subdomains we started with a DNS brute-force," the post said.
"With all subdomains enumerated, all that was left was to use nmap and check for banners, page titles, page redirects as well as exploit-db and some blogs for known vulnerabilities."
We don't know how long it took, but the group found six, including one that involves codes given to Uber users.
Integrity Labs found that these were rather simple to exploit, and uncovered a $100 emergency trip voucher that even Uber did not know existed on its systems. A bounty was paid.
Other bugs could let hackers identify a passenger and trace their journeys and locations, which has some obvious privacy implications. In one incident the team was able to get the driver name, licence number, last trip information, last passenger name, number of passengers, and the origin and destination of the trip.
Some of the hits turned out to be misses because the reports had duplicated entries already, but Integrity must have done reasonably well out of its efforts.
"This was our first bug bounty programme that we really dedicated some time to, and we think it had a positive outcome," the group said.
"At the beginning we weren't too confident with this programme because a lot of people had already tested Uber in the private programme, but after some time, and when we started to find some good vulnerabilities, it gave us the drive to continue and see where it could lead us.
"For the people who are starting the bug bounty programmes, our advice is: never give up or be afraid if it is a big company, just have fun and try to learn as much as possible along the way and in time the profits will come."
We've asked for Uber for its comments. Presumably it will honk the horn from outside when it's ready. µ
The 7nm chip promises to be a powerhouse
Mozilla's Monitor 2.0 is adding notifications for website breaches
And he's not too hot on the arrangements for the Tokyo Olympics either
Secret deal means we'll never know if talk is cheap