Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Security

Exploit found in Uber earns researcher $10k

Kyle by Kyle
June 8, 2016
in Security, Exploits
0
Uber exploit found, $10k rewarded
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Rideshare company and mobile app, Uber, fixed a vulnerability within its website that could have allowed a hacker to log into a few “.uber.com” subdomains with a non existant-password and may have led to their internal networking being compromised.

You might also like

Google reports a rise in ransomware attacks

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Citrix exploit CWE-284 allows hackers to reset admin password

Uber provided Finnish security researcher Jouko Pynnönen $10,000 for identifying the exploit a month back, this is the highest bounty the company has paid out since it launched the bug bounty program earlier this year. Currently they have had 230 reports and over $340,570 in reward money paid averaging $500 to $1000 per bounty.

The exploit had two parts, reported Pynnönen, one that enabled him to circumvent the system Uber uses for employee verification, OneLogin, and an exploit which could have let an attacker take over Uber’s internal network, hosted on Atlassian’s Confluence collaboration systems.

The research said the WordPress plugin supplied by OneLogin included a bug that permitted an attacker to provide any username, email address or role they wished.

“If the username doesn’t already exist in the WordPress database, then the plugin will create a new user,” Pynnönen mentioned in the writeup on HackerOne.

Uber was fast to deal with the issues, fixing both of them in a day. Then they awarded Pynnonen with the company’s maximum bounty. The large payout was a result of the chained JavaScript source, something Uber confesses “elevates the impact” of the bug.

Tags: Bug BountyUber
Share30Tweet19
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Google reports a rise in ransomware attacks

by Paul Anderson
July 15, 2022
0
Google reports a rise in ransomware attacks

In the 3rd issue of the recently released, Threat Horizons, Google's Cybersecurity Action Team (GCAT) provides organizations with information about emerging risks and actionable mitigation. Bad actors have...

Read more

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

by Christi Rogalski
July 11, 2022
0
Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Cross-site scripting, also known as XSS, attacks rank high on lists of common cybersecurity risks. It is the injection of malicious code into the web application to exploit...

Read more

Citrix exploit CWE-284 allows hackers to reset admin password

by Christi Rogalski
July 8, 2022
0
Citrix CWE-284 CVE-2022-27511 exploit

A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers...

Read more

Cloudflare Stops Record-Breaking DDoS

by Christi Rogalski
June 29, 2022
0
Cloudflare record breaking DDoS

Cloudflare has reported that it successfully neutralized the largest recorded DDoS attack in history. The attack, a 26 million request per second onslaught, targeted a customer on the...

Read more

Chrome Browser Extension Vytal Prevents Privacy Leaks

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Vytal Chrome Extension spoofs location data

Released in 2008, Google Chrome is a cross-platform web browser. With over 3.2 billion internet users worldwide, there's no denying that Chrome is the most popular browser today....

Read more
Next Post
Angler Exploit Kit remains undetected

Angler Exploit Kit remains undetected

Related News

BlueSky Ransomware backdoors KMSAuto activator

BlueSky Ransomware Infects KMSAuto Activator users

July 20, 2022 - Updated on July 22, 2022
BlackCat Ransomware aka “ALPHV” infections on the rise

BlackCat Ransomware aka “ALPHV” infections on the rise

June 16, 2022 - Updated on July 20, 2022
GIFs in messaging apps are tracking you

GIFs in messaging apps are tracking you

July 19, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.