Skip to content

Latest commit

 

History

History
223 lines (219 loc) · 27.9 KB

TOPUBER.md

File metadata and controls

223 lines (219 loc) · 27.9 KB
Raw

Back

Top reports from Uber program at HackerOne:

  1. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 611 upvotes, $6500
  2. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 375 upvotes, $7500
  3. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 364 upvotes, $4000
  4. Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) to Uber - 288 upvotes, $10000
  5. RCE via npm misconfig -- installing internal libraries from the public registry to Uber - 281 upvotes, $9000
  6. [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 229 upvotes, $39999
  7. Stored XSS in developer.uber.com to Uber - 206 upvotes, $7500
  8. XSS At "pages.et.uber.com" to Uber - 193 upvotes, $0
  9. Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. to Uber - 182 upvotes, $4500
  10. Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com to Uber - 160 upvotes, $5000
  11. Reading Emails in Uber Subdomains to Uber - 135 upvotes, $10000
  12. Open Redirect on central.uber.com allows for account takeover to Uber - 120 upvotes, $8000
  13. Client secret, server tokens for developer applications returned by internal API to Uber - 114 upvotes, $5000
  14. [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter to Uber - 110 upvotes, $3000
  15. ubernycmarketplace.com is vulnerable to the Heartbleed Bug to Uber - 108 upvotes, $1500
  16. Reflected XSS on https://www.uber.com to Uber - 106 upvotes, $2000
  17. Stored XSS on any page in most Uber domains to Uber - 102 upvotes, $6000
  18. password reset token leaking allowed for ATO of an Uber account to Uber - 86 upvotes, $10000
  19. uber.com may RCE by Flask Jinja2 Template Injection to Uber - 81 upvotes, $10000
  20. SAML Authentication Bypass on uchat.uberinternal.com to Uber - 80 upvotes, $8500
  21. Possibility to get private email using UUID to Uber - 80 upvotes, $5000
  22. [CRITICAL] -- Complete Account Takeover to Uber - 77 upvotes, $8000
  23. SQL Injection on sctrack.email.uber.com.cn to Uber - 75 upvotes, $4000
  24. Subdomain takeover at signup.uber.com to Uber - 75 upvotes, $3000
  25. Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance to Uber - 73 upvotes, $1500
  26. Changing paymentProfileUuid when booking a trip allows free rides to Uber - 72 upvotes, $5000
  27. OneLogin authentication bypass on WordPress sites via XMLRPC to Uber - 70 upvotes, $7000
  28. Pre-auth Remote Code Execution on multiple Uber SSL VPN servers to Uber - 67 upvotes, $2000
  29. xss in https://www.uber.com to Uber - 64 upvotes, $7000
  30. Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront to Uber - 63 upvotes, $1000
  31. Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files to Uber - 63 upvotes, $500
  32. Lack of payment type validation in dial.uber.com allows for free rides to Uber - 62 upvotes, $5000
  33. Hack The World 2017 Top 2 Bonus to Uber - 60 upvotes, $5000
  34. Authorization issue in Google G Suite allows DoS through HTTP redirect to Uber - 60 upvotes, $2500
  35. SQL injection in 3rd party software Anomali to Uber - 57 upvotes, $2500
  36. Blind OOB XXE At "http://ubermovement.com/" to Uber - 53 upvotes, $500
  37. Multiple vulnerabilities in a WordPress plugin at drive.uber.com to Uber - 51 upvotes, $5000
  38. [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 51 upvotes, $4000
  39. Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains to Uber - 48 upvotes, $6000
  40. OneLogin authentication bypass on WordPress sites to Uber - 47 upvotes, $10000
  41. Avoiding Surge Pricing to Uber - 45 upvotes, $3000
  42. Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 42 upvotes, $3000
  43. Reflected XSS on multiple uberinternal.com domains to Uber - 39 upvotes, $2000
  44. SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners to Uber - 39 upvotes, $1500
  45. Reflected XSS in lert.uber.com to Uber - 37 upvotes, $3000
  46. Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser to Uber - 36 upvotes, $7000
  47. SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/ to Uber - 36 upvotes, $3000
  48. Reflected XSS on https://www.uber.com to Uber - 36 upvotes, $1000
  49. Attacker could setup reminder remotely using brute force to Uber - 36 upvotes, $0
  50. phone number exposure for riders/drivers given email/uuid to Uber - 35 upvotes, $2000
  51. Change the rating of any trip, therefore change the average driver rating to Uber - 35 upvotes, $1500
  52. Possibility to brute force invite codes in riders.uber.com to Uber - 33 upvotes, $5000
  53. Stealing users password (Limited Scenario) to Uber - 33 upvotes, $100
  54. Reflected XSS on Partners Subdomain to Uber - 31 upvotes, $2000
  55. Full Path and internal information disclosure+ SQLNet.log file disclose internal network information to Uber - 31 upvotes, $0
  56. Arbitrary File Reading on Uber SSL VPN to Uber - 30 upvotes, $6500
  57. Stored XSS on developer.uber.com via admin account compromise to Uber - 30 upvotes, $5000
  58. Reflected XSS POST method at partners.uber.com to Uber - 30 upvotes, $3000
  59. Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password to Uber - 28 upvotes, $1000
  60. Site-wide CSRF on eats.uber.com to Uber - 26 upvotes, $6000
  61. Improper Access Control on Onelogin in multi-layered architecture to Uber - 26 upvotes, $500
  62. Subdomain takeover on mta1a1.spmail.uber.com to Uber - 26 upvotes, $500
  63. Reflected XSS on developer.uber.com via Angular template injection to Uber - 24 upvotes, $3000
  64. duplicate hsts headers lead to firefox ignoring hsts on business.uber.com to Uber - 24 upvotes, $500
  65. Possible to View Driver Waybill via Driver UUID to Uber - 23 upvotes, $3000
  66. Get organization info base on uuid to Uber - 22 upvotes, $3000
  67. Possibility to enumerate and bruteforce promotion codes in Uber iOS App to Uber - 22 upvotes, $3000
  68. pam-ussh may be tricked into using another logged in user's ssh-agent to Uber - 22 upvotes, $1500
  69. Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com to Uber - 21 upvotes, $2250
  70. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 21 upvotes, $500
  71. Exposed█████████in apk file - devbuilds.uber.com to Uber - 18 upvotes, $1500
  72. CBC "cut and paste" attack may cause Open Redirect(even XSS) to Uber - 18 upvotes, $500
  73. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 17 upvotes, $5000
  74. XSS on partners.uber.com due to no user input sanitisation to Uber - 17 upvotes, $1000
  75. IDOR in activateFuelCard id allows bulk lookup of driver uuids to Uber - 17 upvotes, $500
  76. Multiple Vulnerabilities (Including SQLi) in love.uber.com to Uber - 17 upvotes, $250
  77. deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” to Uber - 17 upvotes, $0
  78. Privacy policy contains hardcoded link using unencrypted HTTP to Uber - 17 upvotes, $0
  79. SQLI on desafio5estrelas.com to Uber - 16 upvotes, $2500
  80. Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ to Uber - 16 upvotes, $500
  81. Information regarding trips from other users to Uber - 15 upvotes, $5000
  82. IDOR on partners.uber.com allows for a driver to override administrator documents to Uber - 15 upvotes, $500
  83. XSS @ love.uber.com to Uber - 14 upvotes, $3000
  84. Missing authorization checks leading to the exposure of ubernihao.com administrator accounts to Uber - 14 upvotes, $3000
  85. xss vulnerability in http://ubermovement.com/community/daniel to Uber - 14 upvotes, $750
  86. Cleartext password exposure allows access to the desafio5estrelas.com admin panel to Uber - 14 upvotes, $500
  87. Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites to Uber - 13 upvotes, $1500
  88. SMS/Call spamming due to truncated phone number to Uber - 13 upvotes, $500
  89. Chained vulnerabilities create DOS attack against users on desafio5estrelas.com to Uber - 12 upvotes, $1000
  90. Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers to Uber - 11 upvotes, $3000
  91. XSS in ubermovement.com via editable Google Sheets to Uber - 11 upvotes, $2000
  92. Bulk UUID enumeration via invite codes to Uber - 11 upvotes, $1500
  93. Uber employees are sharing information on productforums.google.com to Uber - 11 upvotes, $1000
  94. No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts to Uber - 11 upvotes, $750
  95. Server version disclosure to Uber - 11 upvotes, $0
  96. Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP to Uber - 10 upvotes, $750
  97. Open redirect on rush.uber.com, business.uber.com, and help.uber.com to Uber - 10 upvotes, $500
  98. Session not expired When logout [partners.uber.com] to Uber - 10 upvotes, $0
  99. Open Redirect in riders.uber.com to Uber - 9 upvotes, $500
  100. Cookie Bombing cause DOS - businesses.uber.com to Uber - 9 upvotes, $500
  101. Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information to Uber - 9 upvotes, $500
  102. Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF to Uber - 9 upvotes, $500
  103. Full path disclosure on track.uber.com to Uber - 9 upvotes, $100
  104. Bypassing Uber Partner's 3 Cancel Limit to Uber - 8 upvotes, $2000
  105. [IODR] Get business trip via organization id to Uber - 8 upvotes, $2000
  106. Open Redirection on Uber.com to Uber - 8 upvotes, $500
  107. Open Redirect in m.uber.com to Uber - 8 upvotes, $500
  108. [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB to Uber - 8 upvotes, $500
  109. Bruteforce INVITE codes easy way to Uber - 8 upvotes, $0
  110. Delay of arrears notification allows Riders to take multiple rides without paying to Uber - 8 upvotes, $0
  111. Reflected XSS on Uber.com careers to Uber - 7 upvotes, $3000
  112. Can add employee in business.uber.com without add payment method to Uber - 7 upvotes, $0
  113. The Microsoft Store Uber App Does Not Implement Certificate Pinning to Uber - 7 upvotes, $0
  114. Information Leak - GitHub - Endpoint Configuration Details to Uber - 7 upvotes, $0
  115. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 6 upvotes, $3000
  116. newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf to Uber - 6 upvotes, $1000
  117. ability to retrieve a user's phone-number/email for a given inviteCode to Uber - 6 upvotes, $1000
  118. Users can falsely declare their own Uber account info on the monthly billing application to Uber - 6 upvotes, $500
  119. SMS URL verification link does not expire on phone number change and lacks rate limiting to Uber - 6 upvotes, $500
  120. Listing of email addresses of whitelisted business users visible at business.uber.com to Uber - 6 upvotes, $250
  121. Stored Cross Site Scripting [SELF] in partners.uber.com to Uber - 6 upvotes, $0
  122. It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without to Uber - 6 upvotes, $0
  123. Physical Access to Mobile App Allows Local Attribute Updates without Authentication to Uber - 6 upvotes, $0
  124. Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) to Uber - 5 upvotes, $3000
  125. Reflected XSS via Livefyre Media Wall in newsroom.uber.com to Uber - 5 upvotes, $2000
  126. Stored XSS in drive.uber.com WordPress admin panel to Uber - 5 upvotes, $2000
  127. Email Address Enumeration to Uber - 5 upvotes, $0
  128. Requested and received edit access to Google form to Uber - 5 upvotes, $0
  129. reopen #128853 (Information disclosure at lite.uber.com) to Uber - 5 upvotes, $0
  130. Content injection on 404 error page at faspex.uber.com to Uber - 5 upvotes, $0
  131. muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 5 upvotes, $0
  132. lert.uber.com: Few default folders/files of AURA Framework are accessible to Uber - 5 upvotes, $0
  133. [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools to Uber - 5 upvotes, $0
  134. stack trace exposed on https://receipts.uber.com/ to Uber - 5 upvotes, $0
  135. Mass Assignment Vulnerability in partners.uber.com to Uber - 4 upvotes, $1000
  136. Thumbor misconfiguration at blogapi.uber.com can lead to DoS to Uber - 4 upvotes, $500
  137. Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com) to Uber - 4 upvotes, $0
  138. Disclosure of ways to the site root to Uber - 4 upvotes, $0
  139. Uber is Flooding my Mobile with SMS Daily like a cron JOB to Uber - 4 upvotes, $0
  140. XSS in uber oauth to Uber - 4 upvotes, $0
  141. XSS via password recovering to Uber - 4 upvotes, $0
  142. Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication to Uber - 4 upvotes, $0
  143. XSS in getrush.uber.com to Uber - 3 upvotes, $3000
  144. SQLi in love.uber.com to Uber - 3 upvotes, $3000
  145. Dom Based Xss to Uber - 3 upvotes, $3000
  146. CSV Injection in business.uber.com to Uber - 3 upvotes, $1000
  147. Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains to Uber - 3 upvotes, $1000
  148. Brute-Forcing invite codes in partners.uber.com to Uber - 3 upvotes, $750
  149. LIsting of http://archive.uber.com/pypi/simple/ to Uber - 3 upvotes, $0
  150. CSRF on eng.uber.com may lead to server-side compromise to Uber - 3 upvotes, $0
  151. Self-XSS Vulnerability on Password Reset Form to Uber - 3 upvotes, $0
  152. Unsubscribe any user from receiving email to Uber - 3 upvotes, $0
  153. Use Partner/Driver App Without Being Activated to Uber - 3 upvotes, $0
  154. Phone Number Enumeration to Uber - 3 upvotes, $0
  155. Newsroom.uber HTML form without CSRF protection to Uber - 3 upvotes, $0
  156. Information Disclosure on lite.uber.com to Uber - 3 upvotes, $0
  157. Header Injection to Uber - 3 upvotes, $0
  158. Text Only Content Spoofing on ubermovement.com Community Page to Uber - 3 upvotes, $0
  159. Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously to Uber - 3 upvotes, $0
  160. XSS in people.uber.com to Uber - 3 upvotes, $0
  161. text injection in get.uber.com/check-otp to Uber - 3 upvotes, $0
  162. The Microsoft Store Uber App Does Not Implement Server-side Token Revocation to Uber - 3 upvotes, $0
  163. The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting to Uber - 3 upvotes, $0
  164. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  165. SSL-protected Reflected XSS in m.uber.com to Uber - 3 upvotes, $0
  166. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  167. udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  168. lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  169. Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE to Uber - 2 upvotes, $1000
  170. Drivers can change profile picture to Uber - 2 upvotes, $500
  171. Estimation of a Lower Bound on Number of Uber Drivers via Enumeration to Uber - 2 upvotes, $500
  172. It is possible to re-rate a driver after a very long time to Uber - 2 upvotes, $0
  173. Pixel flood attack in https://riders.uber.com/profile to Uber - 2 upvotes, $0
  174. CRLF Injection in developer.uber.com to Uber - 2 upvotes, $0
  175. Enumerating userIDs with phone numbers to Uber - 2 upvotes, $0
  176. Active Email Hyperlink Sent on riders.uber.com to Uber - 2 upvotes, $0
  177. Disclosure of ip addresses in local network of uber to Uber - 2 upvotes, $0
  178. Information disclosure at lite.uber.com to Uber - 2 upvotes, $0
  179. faspex.uber.com uses an invalid SSL certificate to Uber - 2 upvotes, $0
  180. Server version disclosure: team.uberinternal.com to Uber - 2 upvotes, $0
  181. Email Enumeration Vulnerability to Uber - 2 upvotes, $0
  182. Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate fast-rating Endpoint to Uber - 2 upvotes, $0
  183. Missing authentication on Notification setting . to Uber - 2 upvotes, $0
  184. XSS In archive.uber.com Due to Mime Sniffing in IE to Uber - 1 upvotes, $750
  185. XSS on partners.uber.com to Uber - 1 upvotes, $500
  186. Easy spam with USE My PHONE Feature to Uber - 1 upvotes, $250
  187. Issue with Password reset functionality to Uber - 1 upvotes, $100
  188. Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ to Uber - 1 upvotes, $0
  189. HTML Escaping Error in the 404 Page on developer.uber.com/docs/ to Uber - 1 upvotes, $0
  190. Cross-site Scripting (XSS) to Uber - 1 upvotes, $0
  191. XSS on love.uber.com to Uber - 1 upvotes, $0
  192. Session retention is present which reveals the customer info to Uber - 1 upvotes, $0
  193. CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to backup.uber.com to Uber - 1 upvotes, $0
  194. DOM based XSS on to Uber - 1 upvotes, $0
  195. Password Reset Does Not Confirm the Existence of an Email Address to Uber - 1 upvotes, $0
  196. Create account in uber without signup form to Uber - 1 upvotes, $0
  197. Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
  198. Uber password reset link EMAIL FLOOD to Uber - 1 upvotes, $0
  199. Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page to Uber - 1 upvotes, $0
  200. Changing Driver Passwords With Only an Authenticated Session (no password, no email) to Uber - 1 upvotes, $0
  201. SMS Flood with Update Profile to Uber - 1 upvotes, $0
  202. Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers to Uber - 1 upvotes, $0
  203. Session Impersonation in riders.uber.com to Uber - 1 upvotes, $0
  204. developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes to Uber - 1 upvotes, $0
  205. Unauthorized file (invoice) download to Uber - 1 upvotes, $0
  206. Authentication Issue for easter egg on bonjour.uber.com to Uber - 1 upvotes, $0
  207. Command Injection, Information to Uber - 1 upvotes, $0
  208. Self-XSS in Partners Profile to Uber - 1 upvotes, $0
  209. Error Message on 404 page to Uber - 1 upvotes, $0
  210. Clickjacking in love.uber.com to Uber - 1 upvotes, $0
  211. Stored self-XSS at m.uber.com to Uber - 1 upvotes, $0
  212. User credentials are not strong on vault.uber.com to Uber - 1 upvotes, $0
  213. Self-XSS on partners.uber.com to Uber - 1 upvotes, $0
  214. Brute Force Amplification Attack to Uber - 1 upvotes, $0
  215. User Enumeration and Information Disclosure to Uber - 1 upvotes, $0
  216. Design Issue at riders.uber.com/profile to Uber - 1 upvotes, $0

Back