1. 55
  1.  

  2. 26

    https://hackerone.com/reports/293359#activity-2203160 via https://twitter.com/infosec_au/status/945048806290321408 seems to at least shed a bit more light on things. I don’t find this kind of behavior to be OK at all:

    ”Oh my God.

    Are you seriously the Program Manager for Uber’s Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting?

    LULZ”

    1. 6

      The real impact with this vulnerability is the lack of rate limiting and/or IP address blacklisting for multiple successive failed authentication attempts, both issues of which were not mentioned within your summary dismissal of the report. Further, without exhaustive entropy analysis of the PRNG that feeds your token generation process, hand waving about 128 bits is meaningless if there are any discernible patterns that can be picked up in the PRNG.

      Hrm. He really wants to be paid for this?

      1. 3

        I mean, it’s a lot better than, say, promising a minimum of 500 for unlisted vulnerabilities and then repeatedly not paying it. Also, that’s not an unfair critique–if you’re a program manager in a field, I’d expect some relevant experience. Or, maybe, we should be more careful about handing out titles like program manager, project manager, product manager, etc. (a common issue outside of security!).

        At the core of it, it seems like the fellow dutifully tried to get some low-hanging fruit and was rebuffed, multiple times. This was compounded when the issues were closed as duplicate or known or unimportant or whatever…it’s impossible to tell the difference from the outside between a good actor saying “okay this is not something we care about” and a bad actor just wanting to save 500 bucks/save face.

        Like, the correct thing to have done would have been to say “Hey, thanks for reporting that, we’re not sure that that’s a priority concern right now but here’s some amount of money/free t-shirt/uber credits, please keep at it–trying looking .”

        The fact that the company was happy to accept the work product but wouldn’t compensate the person for what sounded like hours and hours of work is a very bad showing.

        1. 9

          Also, that’s not an unfair critique–if you’re a program manager in a field, I’d expect some relevant experience.

          No-one deserves to be talked to in that way, in any context, but especially not in a professional one.

          Or, maybe, we should be more careful about handing out titles like program manager, project manager, product manager, etc. (a common issue outside of security!).

          There is no evidence that the title was “handed out”, especially since we don’t even know what the job description is.

          1. 3
            1. open the hackerone thread
            2. open her profile to find her name
            3. look her up on linkedin

            I don’t presume to know what her job entails or whether or not she’s qualified, but titles should reflect reality or they lose their value. She certainly has a lot of endorsements on linkedin, which often carry more value than formal education.

            It’s “Program Manager, Security” btw.

            1. 2

              There is no evidence that the title was “handed out”, especially since we don’t even know what the job description is.

              There’s no evidence that it wasn’t–the point I’m making is that, due to practices elsewhere in industry, that title doesn’t really mean anything concrete.

        2. 12

          Sounds like they spent their bug bounty budget paying hush money on their data leak.

          1. 9

            The blog post is one-sided, and the comment from @andybons seems like every upvote is more about anti-Uber signaling than anything substantial.

            But maybe they did spend their bounty budget on paying hush money, yeah. Sure.

          2. 1

            Issue 1: The Uber Customer Promo Endpoint does not implement multi factor authentication resulting in the ability of an attacker to enumerate millions of OAuth2 rider and driver tokens.

            What does this mean and what can be done with this?