Mohamed M.Fouad who is well known for his bug research, found that he could brute force the ‘Promo Codes’ feature in Uber App and make it spill out high value promo codes of as much as $25,000 in value. Fouad found that the “promo codes ” vulnerability in the sign-up invitation link for Uber allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.
Fouad found that Uber did not have any rate limiter feature for trying out Promo Codes to limit the number of times a Uber user can make such attempts. Fouad could exploit this vulnerability to generate promo codes until he found valid ones. He also found the he could generate promo codes with ‘uber+code_name’ at will.
As is normally the case, Fouad informed Uber about the brute force vulnerability for them to issue patch. Surprisingly, Uber did not find the flaw to be interesting enough to be patched. Fouad told Techworm that he was surprised at Uber’s response, “Finally i’m not the only researcher who reported this vulnerability and that’s mean we are all agreed on this is a vulnerbility , Ali Kabeel a security researcher he also reported the same vulnerability but in “Third” different place in the application which i mentioned above it exists in riders.uber.com/profile URL code customization feature.” Uber has fixed the brute force vulnerability in the payment page by applying the rate-limiter. However, the Promo Codes feature is still vulnerable to brute force attacks. Anyways, until Uber patches the flaw, potential hackers can enjoy free rides as they come.
