This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
Complete Story
09/12/2019
Uber Confirms Account Takeover Vulnerability Found By Forbes 30 Under 30 Honoree
Forbes
A security vulnerability has been discovered that could allow attackers to compromise and control any Uber account. The security researcher who found the flaw has revealed that the vulnerability could be exploited to track a user’s location and take rides from their account. As well as Uber users, the same vulnerability impacted Uber driver accounts and Uber Eats accounts.
How a Forbes 30 Under 30 honoree could have hacked your Uber account
Anand Prakash, founder of AppSecure and a Forbes 30 Under 30 honoree, discovered that it was possible for an attacker to exploit the vulnerability via an application programming interface (API) request. This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. "Once you have the leaked Uber UUID from the API request," Prakash said, "you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address." Prakash says that with the mobile apps access token he was able to completely compromise a test account in this way, requesting rides, getting payment information and more. A proof of concept video showing the attack methodology in action can be found here.
Alerts
The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.
more information
Resources
Your electronic library to help in fighting financial fraud for all of our partners.
more information