It was a Saturday at 2:00 AM, and I was with a friend looking for some security flaws to report on a private show. After searching several things we could not detect anything (the scope was small and the sites mostly static).
Out of curiosity, I thought to change the program and scope, so I started looking for bugs in Uber. Although it is true, Uber has an interesting scope, day by day the best bugs hunters in the world are detecting security flaws in their websites.
It happens that by chance, I entered an endpoint that pointed to an information search in Santiago de Chile, which is the following.
Through this endpoint, an user could do a search for information. As usual (I imagine that many do this xd) I placed an XSS type vector, however, I did not succeed.
Later, I did a test with multiple obfuscated HTML characters, in addition to analyzing the behavior of the front-end and the DOM. I realized that it was possible to inject the characters: smaller and larger than, however when placing a slash, the vector was revoked, also if the vector contained the word “script” it was also deleted.
However, I detected a simple bypass, which was simply to get the slash character by its HTML coding (%2f) and also the script, insert it with lowercase and upper case.
Finally I created the next payload
Finally the XSS has been exploited correctly.
A couple of days later, I had the opportunity to be at the h1–702 Bug Bounty event. Then, talking to a friend (Stefano @stefanohablando), he told me that there was a mechanism to tunnel the XSS in such a way that he could obtain a Facebook session token from an Uber user’s account and thus obtain the user’s session (This is because Uber allows the login with Facebook, any website that has this mechanism poorly implemented could be affected if there is an XSS vulnerability)
To do the token extraction procedure, you can use the following Facebook Developers functionality.
- Uber did not have an adequate ACL, since it was possible to make the call of the Facebook token contained in auth.uber.com.
Finally, when all the conditions mentioned above were met, an exploit was created which, by sending a malicious link to the victim that was authenticated with Facebook, would obtain that user’s Facebook token. Subsequently, the valid user session would be established, in order to finally obtain the user’s mail and send the UUID to his mail as proof of concept.
In doing all this the victim would get something like the following:
Thanks Stefano (@stefanohablando) for helping me with the creation of the final exploit, please follow it, thanks again.