Mohamed M.Fouad has discovered a "promo codes brute-force attack" vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.
Fouad realized that the Uber app did not have any kind of protection against brute-force attacks, allowing him to generate promo codes (that start with 'uber+code_name') until he found valid ones.
Fouad has also provided a video demonstration as a Proof of Concept to show the brute force attack in work. You can watch the video given below:
Uber Team Refuses to Patch the FlawAs a responsible security researcher, Fouad also reported the critical flaw multiple times to the Uber security team, but the company did not accept his bug report and considered the vulnerability out of scope.
"I reported this vulnerability three months ago, and I am not only the one who reported it," Fouad told The Hacker News. "They always reply with out of scope and considered as a fraud, and we have to send this bug to fraud team."Another security researcher, named Ali Kabeel, also reported the same flaw but in riders.uber.com/profile URL code customization feature. He also gets the same response from the Uber team that the flaw is out of scope.
Although the company fixed the brute force vulnerability in the payment page by applying the rate-limiting, the above two areas of the app remain still vulnerable, which could lead to many fraud incidents.