Three hackers have found eight holes in Uber that could allow fake drivers to be created and user email addresses reveal, and found more than 1000 of valid coupon codes including one giving drivers $100 extra in fare rides.
The flaws have been reported to Uber which is working through to develop fixes.
The team of Vitor Oliveira (@r0t1v), Fábio Pires (@fabiopirespt) , and Filipe Reis (@fjreis) of Portugal-based consultancy Integrity described six of the since patched flaws.
They kept details of the remaining holes under wraps until Uber issues fixes.
“After a couple of hours, we found out two open redirects that we reported right away,” the hackers say.
“From a pentester’s view, the security team takes this program very seriously by trying to resolve all the issues as fast as they can.”
The team describe in detail how they chained the vulnerabilities to create more elaborate and dangerous attack scenarios, gaining access to personal information, device data, and trip histories for drivers and riders.
They abused the Uber help section to find user email addresses, peered into requests during fare splits to find a passenger’s picture, UUID, and phone number, and find driver and passenger trip details including the full directions of fares which can be plotted on a map.
They also messed with Uber’s driver account activation to create and validate fake drivers.
Oliveira, Pires, and Reis found a litany of discount coupons using brute force checks that Uber failed to rate-limit. Of those, the most valuable was a $100 Emergency Ride Home code that if applied would hand drivers a further $100 on top of regular fares.
The team did not reveal how much they received as part of Uber’s bug bounty cash rewards but applauded Uber for its responsiveness.