Skip to content

Latest commit

 

History

History
142 lines (142 loc) · 17.8 KB

uber.md

File metadata and controls

142 lines (142 loc) · 17.8 KB
Raw

Reports in uber program:

S.No Title Bounty
1 [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo $39999.99
2 RCE via npm misconfig -- installing internal libraries from the public registry $9000.0
3 SAML Authentication Bypass on uchat.uberinternal.com $8500.0
4 [CRITICAL] -- Complete Account Takeover $8000.0
5 Open Redirect on central.uber.com allows for account takeover $8000.0
6 Chained Bugs to Leak Victim's Uber's FB Oauth Token $7500.0
7 Arbitrary File Reading on Uber SSL VPN $6500.0
8 Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains $6000.0
9 Stored XSS on any page in most Uber domains $6000.0
10 Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account $5750.0
11 Stored XSS on developer.uber.com via admin account compromise $5000.0
12 Hack The World 2017 Top 2 Bonus $5000.0
13 Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. $4500.0
14 Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg $4000.0
15 Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers $3000.0
16 Get organization info base on uuid $3000.0
17 Possibility to enumerate and bruteforce promotion codes in Uber iOS App $3000.0
18 Reflected XSS POST method at partners.uber.com $3000.0
19 Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover $3000.0
20 [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter $3000.0
21 SQL injection in 3rd party software Anomali $2500.0
22 SQLI on desafio5estrelas.com $2500.0
23 [IODR] Get business trip via organization id $2000.0
24 Reflected XSS on Partners Subdomain $2000.0
25 Reflected XSS on multiple uberinternal.com domains $2000.0
26 XSS in ubermovement.com via editable Google Sheets $2000.0
27 Pre-auth Remote Code Execution on multiple Uber SSL VPN servers $2000.0
28 Full read SSRF in flyte-poc-us-east4.uberinternal.com $2000.0
29 [uchat.uberinternals.com] Mattermost doesn't check Origin in Websockets, which leads to the Critical Inforamation Leakage. $2000.0
30 Change the rating of any trip, therefore change the average driver rating $1500.0
31 ubernycmarketplace.com is vulnerable to the Heartbleed Bug $1500.0
32 SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners $1500.0
33 DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ] $1420.0
34 Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains $1000.0
35 Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password $1000.0
36 XSS on partners.uber.com due to no user input sanitisation $1000.0
37 Reflected XSS on https://www.uber.com $1000.0
38 Chained vulnerabilities create DOS attack against users on desafio5estrelas.com $1000.0
39 Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP $750.0
40 API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. $750.0
41 HTML injection via insecure parameter [https://www.ubercarshare.com/] $650.0
42 CBC "cut and paste" attack may cause Open Redirect(even XSS) $500.0
43 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration $500.0
44 Open Redirect in m.uber.com $500.0
45 Improper Access Control on Onelogin in multi-layered architecture $500.0
46 Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ $500.0
47 Open Redirect in riders.uber.com $500.0
48 duplicate hsts headers lead to firefox ignoring hsts on business.uber.com $500.0
49 Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities $500.0
50 Thumbor misconfiguration at blogapi.uber.com can lead to DoS $500.0
51 Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files $500.0
52 Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information $500.0
53 Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF $500.0
54 Cleartext password exposure allows access to the desafio5estrelas.com admin panel $500.0
55 4 Subdomains Takeover on 2 domains ( muberscolombia.com & ubereats.pl ) $500.0
56 [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth $500.0
57 Listing of email addresses of whitelisted business users visible at business.uber.com $250.0
58 Full path disclosure on track.uber.com $100.0
59 Avoiding Surge Pricing $0.0
60 Content injection on 404 error page at faspex.uber.com $0.0
61 Brute Force Amplification Attack $0.0
62 User Enumeration and Information Disclosure $0.0
63 Missing authorization checks leading to the exposure of ubernihao.com administrator accounts $0.0
64 XSS At "pages.et.uber.com" $0.0
65 newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf $0.0
66 Multiple vulnerabilities in a WordPress plugin at drive.uber.com $0.0
67 Bulk UUID enumeration via invite codes $0.0
68 Reading Emails in Uber Subdomains $0.0
69 Changing paymentProfileUuid when booking a trip allows free rides $0.0
70 text injection in get.uber.com/check-otp $0.0
71 Attacker could setup reminder remotely using brute force $0.0
72 Stealing users password (Limited Scenario) $0.0
73 Users can falsely declare their own Uber account info on the monthly billing application $0.0
74 Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront $0.0
75 Authorization issue in Google G Suite allows DoS through HTTP redirect $0.0
76 pam-ussh may be tricked into using another logged in user's ssh-agent $0.0
77 ability to retrieve a user's phone-number/email for a given inviteCode $0.0
78 password reset token leaking allowed for ATO of an Uber account $0.0
79 Session not expired When logout [partners.uber.com] $0.0
80 phone number exposure for riders/drivers given email/uuid $0.0
81 deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” $0.0
82 Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com $0.0
83 The Microsoft Store Uber App Does Not Implement Certificate Pinning $0.0
84 The Microsoft Store Uber App Does Not Implement Server-side Token Revocation $0.0
85 The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting $0.0
86 SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0
87 It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without $0.0
88 Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication $0.0
89 SSL-protected Reflected XSS in m.uber.com $0.0
90 SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0
91 udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0
92 lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0
93 muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0
94 Design Issue at riders.uber.com/profile $0.0
95 Information Leak - GitHub - Endpoint Configuration Details $0.0
96 No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts $0.0
97 Delay of arrears notification allows Riders to take multiple rides without paying $0.0
98 SMS/Call spamming due to truncated phone number $0.0
99 Open redirect on rush.uber.com, business.uber.com, and help.uber.com $0.0
100 Privacy policy contains hardcoded link using unencrypted HTTP $0.0
101 Lack of payment type validation in dial.uber.com allows for free rides $0.0
102 Physical Access to Mobile App Allows Local Attribute Updates without Authentication $0.0
103 lert.uber.com: Few default folders/files of AURA Framework are accessible $0.0
104 Site-wide CSRF on eats.uber.com $0.0
105 SMS URL verification link does not expire on phone number change and lacks rate limiting $0.0
106 Reflected XSS in lert.uber.com $0.0
107 IDOR on partners.uber.com allows for a driver to override administrator documents $0.0
108 IDOR in activateFuelCard id allows bulk lookup of driver uuids $0.0
109 Subdomain takeover at signup.uber.com $0.0
110 Client secret, server tokens for developer applications returned by internal API $0.0
111 Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance $0.0
112 Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter $0.0
113 Subdomain takeover on mta1a1.spmail.uber.com $0.0
114 Full Path and internal information disclosure+ SQLNet.log file disclose internal network information $0.0
115 [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name $0.0
116 [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools $0.0
117 Cookie Bombing cause DOS - businesses.uber.com $0.0
118 [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB $0.0
119 Uber employees are sharing information on productforums.google.com $0.0
120 Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE $0.0
121 stack trace exposed on https://receipts.uber.com/ $0.0
122 Reflected XSS on https://www.uber.com $0.0
123 Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser $0.0
124 Exposed█████████in apk file - devbuilds.uber.com $0.0
125 IDOR leads to leak analytics of any restaurant $0.0
126 Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees $0.0
127 Unrestricted File Upload Results in Cross-Site Scripting Attacks $0.0
128 Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII $0.0
129 private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events $0.0
130 IDOR leads to See analytics of Loyalty Program in any restaurant. $0.0
131 pam_ussh does not properly validate the SSH certificate authority $0.0
132 CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com $0.0
133 Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com $0.0
134 Google Maps API Key Leakage $0.0
135 Uber Test Report 20220301 $0.0
136 Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII $0.0
137 Exposed Golang Pprof debugger at https://cn-geo1.uber.com/ $0.0
138 Golang expvar Information Disclosure $0.0
139 Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server $0.0