Skip to content

Latest commit

 

History

History
194 lines (190 loc) · 23.6 KB

TOPUBER.md

File metadata and controls

194 lines (190 loc) · 23.6 KB

Back

Top reports from Uber program at HackerOne:

  1. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 603 upvotes, $6500
  2. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 353 upvotes, $7500
  3. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 331 upvotes, $4000
  4. Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) to Uber - 278 upvotes, $10000
  5. Stored XSS in developer.uber.com to Uber - 198 upvotes, $7500
  6. XSS At "pages.et.uber.com" to Uber - 183 upvotes, $0
  7. Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com to Uber - 152 upvotes, $5000
  8. Reading Emails in Uber Subdomains to Uber - 130 upvotes, $10000
  9. Client secret, server tokens for developer applications returned by internal API to Uber - 111 upvotes, $5000
  10. Open Redirect on central.uber.com allows for account takeover to Uber - 109 upvotes, $8000
  11. ubernycmarketplace.com is vulnerable to the Heartbleed Bug to Uber - 104 upvotes, $1500
  12. Stored XSS on any page in most Uber domains to Uber - 99 upvotes, $6000
  13. password reset token leaking allowed for ATO of an Uber account to Uber - 84 upvotes, $10000
  14. Possibility to get private email using UUID to Uber - 80 upvotes, $5000
  15. SAML Authentication Bypass on uchat.uberinternal.com to Uber - 79 upvotes, $8500
  16. [CRITICAL] -- Complete Account Takeover to Uber - 76 upvotes, $8000
  17. SQL Injection on sctrack.email.uber.com.cn to Uber - 74 upvotes, $4000
  18. Subdomain takeover at signup.uber.com to Uber - 74 upvotes, $3000
  19. Changing paymentProfileUuid when booking a trip allows free rides to Uber - 71 upvotes, $5000
  20. Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance to Uber - 71 upvotes, $1500
  21. xss in https://www.uber.com to Uber - 63 upvotes, $7000
  22. Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront to Uber - 63 upvotes, $1000
  23. uber.com may RCE by Flask Jinja2 Template Injection to Uber - 60 upvotes, $10000
  24. Authorization issue in Google G Suite allows DoS through HTTP redirect to Uber - 59 upvotes, $2500
  25. Hack The World 2017 Top 2 Bonus to Uber - 58 upvotes, $5000
  26. Lack of payment type validation in dial.uber.com allows for free rides to Uber - 58 upvotes, $5000
  27. OneLogin authentication bypass on WordPress sites via XMLRPC to Uber - 57 upvotes, $7000
  28. SQL injection in 3rd party software Anomali to Uber - 56 upvotes, $2500
  29. Blind OOB XXE At "http://ubermovement.com/" to Uber - 52 upvotes, $500
  30. Multiple vulnerabilities in a WordPress plugin at drive.uber.com to Uber - 50 upvotes, $5000
  31. Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains to Uber - 48 upvotes, $6000
  32. OneLogin authentication bypass on WordPress sites to Uber - 44 upvotes, $10000
  33. Avoiding Surge Pricing to Uber - 44 upvotes, $3000
  34. Reflected XSS on multiple uberinternal.com domains to Uber - 39 upvotes, $2000
  35. Attacker could setup reminder remotely using brute force to Uber - 36 upvotes, $0
  36. SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/ to Uber - 35 upvotes, $3000
  37. Reflected XSS in lert.uber.com to Uber - 35 upvotes, $3000
  38. phone number exposure for riders/drivers given email/uuid to Uber - 35 upvotes, $2000
  39. Change the rating of any trip, therefore change the average driver rating to Uber - 34 upvotes, $1500
  40. Stealing users password (Limited Scenario) to Uber - 33 upvotes, $100
  41. Possibility to brute force invite codes in riders.uber.com to Uber - 32 upvotes, $5000
  42. Full Path and internal information disclosure+ SQLNet.log file disclose internal network information to Uber - 31 upvotes, $0
  43. Reflected XSS POST method at partners.uber.com to Uber - 30 upvotes, $3000
  44. Reflected XSS on Partners Subdomain to Uber - 30 upvotes, $2000
  45. Stored XSS on developer.uber.com via admin account compromise to Uber - 28 upvotes, $5000
  46. Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password to Uber - 27 upvotes, $1000
  47. Improper Access Control on Onelogin in multi-layered architecture to Uber - 26 upvotes, $500
  48. Site-wide CSRF on eats.uber.com to Uber - 25 upvotes, $6000
  49. duplicate hsts headers lead to firefox ignoring hsts on business.uber.com to Uber - 24 upvotes, $500
  50. Reflected XSS on developer.uber.com via Angular template injection to Uber - 23 upvotes, $3000
  51. Possible to View Driver Waybill via Driver UUID to Uber - 23 upvotes, $3000
  52. Get organization info base on uuid to Uber - 22 upvotes, $3000
  53. Possibility to enumerate and bruteforce promotion codes in Uber iOS App to Uber - 22 upvotes, $3000
  54. pam-ussh may be tricked into using another logged in user's ssh-agent to Uber - 22 upvotes, $1500
  55. Subdomain takeover on mta1a1.spmail.uber.com to Uber - 22 upvotes, $500
  56. Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com to Uber - 21 upvotes, $2250
  57. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 17 upvotes, $5000
  58. XSS on partners.uber.com due to no user input sanitisation to Uber - 17 upvotes, $1000
  59. CBC "cut and paste" attack may cause Open Redirect(even XSS) to Uber - 17 upvotes, $500
  60. Multiple Vulnerabilities (Including SQLi) in love.uber.com to Uber - 17 upvotes, $250
  61. deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” to Uber - 17 upvotes, $0
  62. Privacy policy contains hardcoded link using unencrypted HTTP to Uber - 17 upvotes, $0
  63. Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ to Uber - 16 upvotes, $500
  64. IDOR in activateFuelCard id allows bulk lookup of driver uuids to Uber - 16 upvotes, $500
  65. Information regarding trips from other users to Uber - 15 upvotes, $5000
  66. XSS @ love.uber.com to Uber - 14 upvotes, $3000
  67. Missing authorization checks leading to the exposure of ubernihao.com administrator accounts to Uber - 14 upvotes, $3000
  68. xss vulnerability in http://ubermovement.com/community/daniel to Uber - 14 upvotes, $750
  69. IDOR on partners.uber.com allows for a driver to override administrator documents to Uber - 14 upvotes, $500
  70. Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites to Uber - 13 upvotes, $1500
  71. SMS/Call spamming due to truncated phone number to Uber - 12 upvotes, $500
  72. Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers to Uber - 11 upvotes, $3000
  73. XSS in ubermovement.com via editable Google Sheets to Uber - 11 upvotes, $2000
  74. Server version disclosure to Uber - 11 upvotes, $0
  75. Bulk UUID enumeration via invite codes to Uber - 10 upvotes, $1500
  76. No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts to Uber - 10 upvotes, $750
  77. Open redirect on rush.uber.com, business.uber.com, and help.uber.com to Uber - 10 upvotes, $500
  78. Open Redirect in riders.uber.com to Uber - 9 upvotes, $500
  79. Full path disclosure on track.uber.com to Uber - 9 upvotes, $100
  80. Session not expired When logout [partners.uber.com] to Uber - 9 upvotes, $0
  81. Bypassing Uber Partner's 3 Cancel Limit to Uber - 8 upvotes, $2000
  82. [IODR] Get business trip via organization id to Uber - 8 upvotes, $2000
  83. Open Redirection on Uber.com to Uber - 8 upvotes, $500
  84. Open Redirect in m.uber.com to Uber - 8 upvotes, $500
  85. Delay of arrears notification allows Riders to take multiple rides without paying to Uber - 8 upvotes, $0
  86. Reflected XSS on Uber.com careers to Uber - 7 upvotes, $3000
  87. Can add employee in business.uber.com without add payment method to Uber - 7 upvotes, $0
  88. Bruteforce INVITE codes easy way to Uber - 7 upvotes, $0
  89. The Microsoft Store Uber App Does Not Implement Certificate Pinning to Uber - 7 upvotes, $0
  90. Information Leak - GitHub - Endpoint Configuration Details to Uber - 7 upvotes, $0
  91. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 6 upvotes, $3000
  92. newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf to Uber - 6 upvotes, $1000
  93. Users can falsely declare their own Uber account info on the monthly billing application to Uber - 6 upvotes, $500
  94. SMS URL verification link does not expire on phone number change and lacks rate limiting to Uber - 6 upvotes, $500
  95. Stored Cross Site Scripting [SELF] in partners.uber.com to Uber - 6 upvotes, $0
  96. It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without to Uber - 6 upvotes, $0
  97. Physical Access to Mobile App Allows Local Attribute Updates without Authentication to Uber - 6 upvotes, $0
  98. Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) to Uber - 5 upvotes, $3000
  99. Reflected XSS via Livefyre Media Wall in newsroom.uber.com to Uber - 5 upvotes, $2000
  100. ability to retrieve a user's phone-number/email for a given inviteCode to Uber - 5 upvotes, $1000
  101. Email Address Enumeration to Uber - 5 upvotes, $0
  102. Requested and received edit access to Google form to Uber - 5 upvotes, $0
  103. Content injection on 404 error page at faspex.uber.com to Uber - 5 upvotes, $0
  104. muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 5 upvotes, $0
  105. lert.uber.com: Few default folders/files of AURA Framework are accessible to Uber - 5 upvotes, $0
  106. Stored XSS in drive.uber.com WordPress admin panel to Uber - 4 upvotes, $2000
  107. Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com) to Uber - 4 upvotes, $0
  108. Disclosure of ways to the site root to Uber - 4 upvotes, $0
  109. Uber is Flooding my Mobile with SMS Daily like a cron JOB to Uber - 4 upvotes, $0
  110. XSS in uber oauth to Uber - 4 upvotes, $0
  111. reopen #128853 (Information disclosure at lite.uber.com) to Uber - 4 upvotes, $0
  112. Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication to Uber - 4 upvotes, $0
  113. SQLi in love.uber.com to Uber - 3 upvotes, $3000
  114. Dom Based Xss to Uber - 3 upvotes, $3000
  115. CSV Injection in business.uber.com to Uber - 3 upvotes, $1000
  116. Mass Assignment Vulnerability in partners.uber.com to Uber - 3 upvotes, $1000
  117. Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains to Uber - 3 upvotes, $1000
  118. Brute-Forcing invite codes in partners.uber.com to Uber - 3 upvotes, $750
  119. CSRF on eng.uber.com may lead to server-side compromise to Uber - 3 upvotes, $0
  120. Self-XSS Vulnerability on Password Reset Form to Uber - 3 upvotes, $0
  121. Unsubscribe any user from receiving email to Uber - 3 upvotes, $0
  122. Use Partner/Driver App Without Being Activated to Uber - 3 upvotes, $0
  123. Phone Number Enumeration to Uber - 3 upvotes, $0
  124. Information Disclosure on lite.uber.com to Uber - 3 upvotes, $0
  125. Header Injection to Uber - 3 upvotes, $0
  126. Text Only Content Spoofing on ubermovement.com Community Page to Uber - 3 upvotes, $0
  127. XSS via password recovering to Uber - 3 upvotes, $0
  128. XSS in people.uber.com to Uber - 3 upvotes, $0
  129. text injection in get.uber.com/check-otp to Uber - 3 upvotes, $0
  130. The Microsoft Store Uber App Does Not Implement Server-side Token Revocation to Uber - 3 upvotes, $0
  131. The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting to Uber - 3 upvotes, $0
  132. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  133. SSL-protected Reflected XSS in m.uber.com to Uber - 3 upvotes, $0
  134. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  135. udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  136. lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  137. XSS in getrush.uber.com to Uber - 2 upvotes, $3000
  138. Drivers can change profile picture to Uber - 2 upvotes, $500
  139. Estimation of a Lower Bound on Number of Uber Drivers via Enumeration to Uber - 2 upvotes, $500
  140. LIsting of http://archive.uber.com/pypi/simple/ to Uber - 2 upvotes, $0
  141. It is possible to re-rate a driver after a very long time to Uber - 2 upvotes, $0
  142. Pixel flood attack in https://riders.uber.com/profile to Uber - 2 upvotes, $0
  143. CRLF Injection in developer.uber.com to Uber - 2 upvotes, $0
  144. Enumerating userIDs with phone numbers to Uber - 2 upvotes, $0
  145. Active Email Hyperlink Sent on riders.uber.com to Uber - 2 upvotes, $0
  146. Disclosure of ip addresses in local network of uber to Uber - 2 upvotes, $0
  147. faspex.uber.com uses an invalid SSL certificate to Uber - 2 upvotes, $0
  148. Server version disclosure: team.uberinternal.com to Uber - 2 upvotes, $0
  149. Email Enumeration Vulnerability to Uber - 2 upvotes, $0
  150. Newsroom.uber HTML form without CSRF protection to Uber - 2 upvotes, $0
  151. Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously to Uber - 2 upvotes, $0
  152. Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate fast-rating Endpoint to Uber - 2 upvotes, $0
  153. Missing authentication on Notification setting . to Uber - 2 upvotes, $0
  154. XSS In archive.uber.com Due to Mime Sniffing in IE to Uber - 1 upvotes, $750
  155. XSS on partners.uber.com to Uber - 1 upvotes, $500
  156. Easy spam with USE My PHONE Feature to Uber - 1 upvotes, $250
  157. Issue with Password reset functionality to Uber - 1 upvotes, $100
  158. Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ to Uber - 1 upvotes, $0
  159. HTML Escaping Error in the 404 Page on developer.uber.com/docs/ to Uber - 1 upvotes, $0
  160. Cross-site Scripting (XSS) to Uber - 1 upvotes, $0
  161. XSS on love.uber.com to Uber - 1 upvotes, $0
  162. Session retention is present which reveals the customer info to Uber - 1 upvotes, $0
  163. CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to backup.uber.com to Uber - 1 upvotes, $0
  164. DOM based XSS on to Uber - 1 upvotes, $0
  165. Password Reset Does Not Confirm the Existence of an Email Address to Uber - 1 upvotes, $0
  166. Create account in uber without signup form to Uber - 1 upvotes, $0
  167. Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
  168. Uber password reset link EMAIL FLOOD to Uber - 1 upvotes, $0
  169. Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page to Uber - 1 upvotes, $0
  170. Changing Driver Passwords With Only an Authenticated Session (no password, no email) to Uber - 1 upvotes, $0
  171. SMS Flood with Update Profile to Uber - 1 upvotes, $0
  172. Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers to Uber - 1 upvotes, $0
  173. Session Impersonation in riders.uber.com to Uber - 1 upvotes, $0
  174. Information disclosure at lite.uber.com to Uber - 1 upvotes, $0
  175. developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes to Uber - 1 upvotes, $0
  176. Unauthorized file (invoice) download to Uber - 1 upvotes, $0
  177. Authentication Issue for easter egg on bonjour.uber.com to Uber - 1 upvotes, $0
  178. Command Injection, Information to Uber - 1 upvotes, $0
  179. Self-XSS in Partners Profile to Uber - 1 upvotes, $0
  180. Error Message on 404 page to Uber - 1 upvotes, $0
  181. Clickjacking in love.uber.com to Uber - 1 upvotes, $0
  182. Stored self-XSS at m.uber.com to Uber - 1 upvotes, $0
  183. User credentials are not strong on vault.uber.com to Uber - 1 upvotes, $0
  184. Self-XSS on partners.uber.com to Uber - 1 upvotes, $0
  185. Brute Force Amplification Attack to Uber - 1 upvotes, $0
  186. User Enumeration and Information Disclosure to Uber - 1 upvotes, $0
  187. Design Issue at riders.uber.com/profile to Uber - 1 upvotes, $0

Back