Uber Bug Bounty: 1000$ for two “high severity” issue

Despite the fact I am fairly active on the various bug bounty platforms, I usually don’t blog around my activities or promote myself for issues I found. This helped me to stay within disclosure policies of many programs. However, after my experience with the new and revamped Uber bug bounty program, I think this time, I need to make that one public for the sake of others.

What were the bugs

To make the story short, when browsing GitHub for potential information leaks, I found a suite of PowerShell scripts that were used to onboard new ESX servers on the Uber’s corporate VMWare VCenter. When digging inside the files, I was able to find several credentials, which I though were valid since the commits were less than a month old. However, since those were internal, I couldn’t prove the point. I also found a second leak that was exposing very interesting information about their endpoint security. Specifically :

Issue #1:

  • VMWare ESX local root password
  • VCenter Administrative Credentials (a corporate domain account)
  • Backup Storage Administrative Credentials

Issue #2:

  • Versions and type of endpoint security defenses (enough information to craft a targeted malware)

Based on this, I immediately reported the two repositories to Uber since I still considered this finding to be high severity.

Initial Reaction of the Program

For the first issue, the program triaged the report after 1 day, and started their investigation. So far, so good. After 5 days without any news, I asked for an update. I got an indication that the credentials were expired at the time of submission, and Uber closed the report shortly after. In the meantime, the repository was removed from Github, and Uber closed the report as resolved. I want to reiterate, the commits were less than 1 month old (10 days old to be precise).

For the second issue, same pattern, the report has been triaged quickly, and the program upfront mentionned that it would be unlikely to get a bounty “because it was considered to be a low security impact”.

Access to SendGrid

That said, let me tell you I wasn’t super happy by their response. In my opinion, those credentials, at least some of them, were not temporary things. So, I got back at the leak, and looked in the commit history to see if other data could be found. Result: Yes, there was. I found some code used to push alerts to SendGrid using one of those credentials. I went ahead, and tried to log in the SendGrid platform thinking it wouldn’t work, these were temporary and expired after all, right? However, the password worked. Hmmm? As a result, I potentially gained the ability to send (a lot of) valid emails using a @uber.com address that would most likely pass SPF checks (N.B. potentially and most likely were used because I didn’t validate to stay within the rules). The fact those credentials worked on an external service raised a reasonable doubt on Uber’s response:

  • Did they even look at the ENTIRE leaked data?
  • Did they REALLY tried to log into the impacted systems using the right credentials?
  • Did they consider to look for password reuse?
  • Did they check all other systems that may have those accounts? (local or remote or cloud)

At this point, I stopped immediately, logged off, and reported the update to Uber.

Second Reaction of the Program

The program received the new information, and fixed the issue on the SendGrid platform promptly. However, their final answer shocked me. I was told I gained to ability to send an email usign a valid uber.com email… but that that account was no longer in use.

No longer in use…OK but I just logged in…and they confirm the impact! Confusing isn’t it?

And for these endpoint protections?

Let’s just say I am not an evil bad guy with enough free time to spend on crafting a targeted malware to MAYBE receive a bounty of 500$! But I know enough of their endpoint protection to start with a huge advantage.

Conclusion

As a final question, I asked the program why the bounty wasn’t higher knowing that phishing is all a bad guy needs to facilitate access to PII data or credentials, and unfortunately, based on the bounty level and the answer I got, it appears the program didn’t fully understand the real impact of that access. The severity was also downgraded to medium. As for the second leak, I didn’t waste any time on it knowing it was a lost battle upfront. The total bounty for those 2 reports were 1000$, and 0$ respectively.

Now, as a last question, are you really sure the last marketing communication you received from Uber was really sent by Uber!?….. No worries, I can confirm it is, I am just an ethical hacker after all :)

Report #1: https://hackerone.com/reports/365199

Report #2: https://hackerone.com/reports/378558