- The issue could be exploited via an application programming interface (API).
- The flaw impacted both the users and drivers.
A vulnerability discovered in Uber could allow attackers to take control of any user account. The flaw impacted both the users and drivers.
What’s the matter?
Anand Prakash, the founder of AppSecure, discovered that the issue could be exploited via an application programming interface (API). This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address.
“Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address,” explained Prakash.
By leveraging the mobile app’s access token, Prakash was able to completely compromise an account, request a ride, get payment information, and more.
How did Uber respond?
Upon discovery, Uber was quick at rectifying the issue. "Uber was very quick in rectifying the vulnerability after my report," said Prakash, Forbes reported.
The ride-hailing app had implemented a fix by April 26, 2019.