A security vulnerability has been discovered that could allow attackers to compromise and control any Uber account. The security researcher who found the flaw has revealed that the vulnerability could be exploited to track a user’s location and take rides from their account. As well as Uber users, the same vulnerability impacted Uber driver accounts and Uber Eats accounts.
Anand Prakash, founder of AppSecure and a Forbes 30 Under 30 honoree, discovered that it was possible for an attacker to exploit the vulnerability via an application programming interface (API) request. This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. "Once you have the leaked Uber UUID from the API request," Prakash said, "you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address." Prakash says that with the mobile apps access token he was able to completely compromise a test account in this way, requesting rides, getting payment information and more. A proof of concept video showing the attack methodology in action can be found here.