The Bounty Hunter Anand Prakash – Bug Bounty Hunter does it again
Anand Prakash and his colleague at it again managed to unveil the essential API related vulnerability which led to the leakage of client secret and server tokens of all Uber developer applications. Anand Prakash – bug bounty hunter does it again
Anand Prakash, AppSecure is a top-ranked hacker to be precise 4th worldwide and 1st in India on Uber’s bug bounty program. He has earned more than 25 lakhs approx $35000 till date from Uber alone. This is not the first time the bug bounty hunter is doing it either, earlier in 2018 he managed to identify an issue on Tinder allowing them to login into any tinder account.
The bug bounty hunter is also ranked 3rd worldwide and 1st in India on Twitters bug bounty program.
AppSecure led by Anand Prakash and Manisha Sangwan managed to identify an essential API flaw which led to leakage of client secret and server tokens of all Uber developer applications.
According to internet reports, the issue was scrutinized by the Uber engineering team and rewarded them with 3.5 lakhs INR (5000 USD) bounty.
The hackers were able to use the vulnerability which pointed out particularly on riders. Uber within which they could point out public API endpoints of https://riders.uber.com/ . Which the hackers used to see client secret of all Uber applications, the issue has been resolved by Uber by removing the extra response from the API response.

The Uber documentation says:The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.
The hackers used to exploit this issue by connecting to any Uber application with his Uber account. Navigate to the vulnerable endpoint to see the leaked data in API response.
How the exploit worked step-by-step
Step #1
Hacker connects to a random Uber developer application to his account using OAuth. IFTTT, Pay fare, Bixby are some of the examples of Uber developer applications. It is not identified as a complicated procedure as of now.
Step #2
Once the hackers connects with the above apps to his Uber account which he/she can use against endpoint to get the developer application’s confidential data. The other significant information of the application using the attacker’s session data.
The vulnerability was reported to Uber on 5th October 2018 by Anand Prakash and Uber agreed to publicly disclose it on February 8th, 2019.

Comments

  1. siqing chenNovember 23, 2020 at 7:54 PM

    I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com   or   whatsspp/telegram: +1(213)785-1553

    ReplyDelete

Post a Comment

Popular posts from this blog

MTN uganda on is on fire because of espionage,fraud,tax evasion and unfair competetive tendencies

MTN uganda must have faced the toughest times in its business spel for the beginning of this year.But as many may be aware,MTN's problem are not of today only but a series of mistakes and misunderstanding that gradually escalated from around mid 2010 through to early days of 2019.The most alarming of these mistakes was the unsurety of the customers privacy and the unrealistic licence it got after a long sacffle with the government of the republic of uganda. Many people have been wondering how or if its true that mtn and its staff was involved in data leakages,exposing customers privacy to intrusion or any sort of espionage.on the first two i can assure you that mtn face data leakages and its customers were exposed to dangers of loosing their private data to dubious intruders,plus fraudulent acts that did occur mostly on mobile money services,its really annoying that mtn when contacted on these fraudulent issues alway would take a low pace and in most case ignore it in tge long end
Read more

United kingdom's Coronavirus Contact Tracing App Assists 'Surveillance State'

Image
In the letter, the signatories - which include tech justice NGO Foxglove and digital rights campaigners Access Now - say the proposed app could be another step towards a surveillance state. Campaign groups have written an open letter to UK Prime Minister Boris Johnson warning GCHQ and its digital arm, the National Cyber Security Centre (NCSC), will have the capacity to re-identify the phones of people who install the country’s coronavirus contact-tracing app. They also note the legal framework underpinning the software, which is currently being trialled on the Isle of Wight, is believed to be inadequate to protect people from misuse of their data by the Joint Committee on Human Rights. “Parliament has to quickly issue an adequate legal framework that guarantees users’ human rights protection. In addition, contrary to some recommendations, the app the Government is trialling uses a centralised model for the collection, processing and storage of users’ data. The centralised rec
Read more

Citzens have done a great work in the arrest of an armed robber

Vigilant residents arrest armed man Residents of Kiwatule this afternoon foiled an attempted robbery in Kiwatule after gunman entered Liquid Cash Emergency Loans with intent to rob. The suspect, Isaac Mulengenyi, 23, reportedly fired in the air to scare onlookers however mob charged at him, arrested and handed him to police. A case of aggravated robbery has been opened at Ntinda Police Station Vide CRB 123/2019 while a rifle has been recovered with nine rounds of ammunition. The suspect is still being detained at Ntinda pending appearance before court.
Read more