About the UberCENTRAL tool:
For those who are unaware, the UberCENTRAL tool is a dashboard is an all-in-one dashboard where you can manage multiple Uber Accounts by tracking individual locations, arrival times, and schedule future pickups. This is handy to businesses who are motoring their customers around and footing the bill, or for scheduling rides for those who do not own smartphones (likely family members and friends).
Detailed Discovery of the Flaw:
A user by the name of ‘Roh’ found a flaw in UberCENTRAL administration console. Basically, he used a specific code manipulation known as an ‘Insecure Direct Object Reference’, or IDOR, attack. According to the OWASP wiki; here’s a quick summary of the steps to finding the flaw:
- Discovery: Use multiple accounts with different permissions to determine the common variable that tells the application to query the database.
- Testing: Looking at the code, changing a specific parameter to target a valid UberCENTRAL account’s e-mail, will send a response including the User’s Unique Identifier.
- Result: This UUID can then be used to expose full name, phone numbers, e-mails, etc.
Note: for those who are really interested in the fine details, check out Roh’s blog.
Fortunately, as of October the bug has been patched, so both drivers and passengers are protected from this exploit.
How We Move Forward:
However, according to TutorialPoint, developers should keep in mind to ‘only use one user or session for indirect object references’ and ‘check the access before using a direct object reference from an untrusted source.’