An Independent Security Researcher from Egypt has discovered a critical vulnerability in Uber app that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000 for more than one free rides.
Mohamed M.Fouad has discovered a “promo codes brute-force attack” vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.
Fouad realized that the Uber app did not have any kind of protection against brute-force attacks, allowing him to generate promo codes (that start with ‘uber+code_name’) until he found valid ones.
The brute force attempt helped Fouad find several numbers of valid promo codes with high value in US dollar between $5,000 to $25,000, which would have helped him get a number of free rides between one to three.
Another flaw was also discovered in mid-June that allowed attackers to use promo code without signing up with a new user.
Uber Team Refuses to Patch the Flaw
As a responsible security researcher, Fouad also reported the critical flaw multiple times to the Uber security team, but the company did not accept his bug report and considered the vulnerability out of scope.
“I reported this vulnerability three months ago, and I am not only the one who reported it,” Fouad told The Hacker News. “They always reply with out of scope and considered as a fraud, and we have to send this bug to fraud team.”
Another security researcher, named Ali Kabeel, also reported the same flaw but in riders.uber.com/profile URL code customization feature. He also gets the same response from the Uber team that the flaw is out of scope.
Although the company fixed the brute force vulnerability in the payment page by applying the rate-limiting, the above two areas of the app remain still vulnerable, which could lead to many fraud incidents.