An Independent Security Researcher and Information Security Consultant Mohamed M.Fouad based from Egypt has discovered a critical vulnerability in Uber app. In this vulnerability attacker can user brute force attack to get valid promo codes with the high amount of up to $25,000 for more than one free rides.
The “promo codes brute-force attack” vulnerability is discovered in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.
How it works
Security Researcher Mohamed M.Fouad has explained, how he was able to get promo codes
Uber has a feature that allows the usage of promotion codes. This codes can be given by other users or companies. The application URL get.uber.com/invite/<code_name> had this feature which allows any user to invite another user to join Uber and get one or more than one free rides based on the promo-code value and it’s amount and currency of the country, so after he tried different usernames which begin with word uber+<code_name> and brute-forced the request with different names, He realised that the application didn’t had any kind of protection against brute-force attacks, which helped him to find many different promotion codes with high amounts in dollar currency between 5,000$ to 25,000$ and had different number of free rides between one to three rides.
He guess these codes may be related to another type of vehicles for example : a helicopter don’t know because these amounts is too high for cars. He also posted a video as a proof but it was removed later.
5000 Brute Force Response
25000 Brute Force Response
Security researcher, Mohamed M.Fouad reported the critical flaw multiple times to the Uber security team, but the company did not accept his bug report and considered the vulnerability out of scope.
Last year in October security researchers reported data leakage of personal information for Drivers.
Subscribe for latest hacking updates