Rideshare company and mobile app, Uber, fixed a vulnerability within its website that could have allowed a hacker to log into a few “.uber.com” subdomains with a non existant-password and may have led to their internal networking being compromised.
Uber provided Finnish security researcher Jouko Pynnönen $10,000 for identifying the exploit a month back, this is the highest bounty the company has paid out since it launched the bug bounty program earlier this year. Currently they have had 230 reports and over $340,570 in reward money paid averaging $500 to $1000 per bounty.
The exploit had two parts, reported Pynnönen, one that enabled him to circumvent the system Uber uses for employee verification, OneLogin, and an exploit which could have let an attacker take over Uber’s internal network, hosted on Atlassian’s Confluence collaboration systems.
The research said the WordPress plugin supplied by OneLogin included a bug that permitted an attacker to provide any username, email address or role they wished.
“If the username doesn’t already exist in the WordPress database, then the plugin will create a new user,” Pynnönen mentioned in the writeup on HackerOne.
Uber was fast to deal with the issues, fixing both of them in a day. Then they awarded Pynnonen with the company’s maximum bounty. The large payout was a result of the chained JavaScript source, something Uber confesses “elevates the impact” of the bug.