Researchers which are based on Portugal security consulting & audit firm Integrity, both have founded numbers of vulnerabilities in Uber websites due to that hackers are able to exploit to access the driver & passenger details. Apart from that there are many issues discovered which have been also exploited to gain access the Uber driver and passenger information.
One worst thing is founded that, the the application riders.uber.com is a website that had the features of payment page and has no protection against brute-force attacks. It has the features which allows the usage of promotion codes; and in which flaw identified that allows the hackers to generate their promo codes till they don’t found valid ones.
However, Uber app is a mobile app; developed by Uber Technologies Inc. that is an American multinational online transportation company. It allows the users with smartphones to send a trip or travel request that is then forwarded to the Uber driver who use their own cars.
It has been found that Uber has its sites that does not have any protection against brute force attack that help attackers to generate promo code until they found useful one. 1,000 valid codes has been found by the researchers using brute force but this app report the issues as not valid since promotion codes are public. The ride-sharing site called Uber has dozen of flaw in it and can be exploited by the hackers with the motive to access driver and passenger data. One of the vulnerability found in promotional codes does not implement security mechanisms so as to defeat brute force attacks that allow attackers to attempt all possible combination of strings. $100 ERH codes has been found which can be applied to the top of all the promo codes.
If you analysis Uber apps, you may discover that responses sent by the server in the case if the user wants to split the fare with someone who contain unique identifier of the driver as well as the person invited for splitting the fare. With the help of this UUID, private email address can be obtained from Uber server using Help section of the app. Uber driver app can be downloaded and installed on any mobile device but there is one problem that the application can only be accessed through accounts that is activated by the company. It has been found that the app can be accessed simply by changing the value of “isActivated” either as false or true.
After taking access to driver app, user can get information like driver’s name, license plates or information on the last passengers or their trips and this is possible by knowing the targeted driver’s UUID. Another vulnerability found that may exploited by the attackers to represent users who know their unique identifier that they know to access their entire list of trips like driver details, locations and cost. Expert recommend this application to provide testing accounts through which user can know all the vulnerabilities.