Reports in uber program: S.No Title Bounty 1 [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo $39999.99 2 RCE via npm misconfig -- installing internal libraries from the public registry $9000.0 3 SAML Authentication Bypass on uchat.uberinternal.com $8500.0 4 [CRITICAL] -- Complete Account Takeover $8000.0 5 Open Redirect on central.uber.com allows for account takeover $8000.0 6 Chained Bugs to Leak Victim's Uber's FB Oauth Token $7500.0 7 Arbitrary File Reading on Uber SSL VPN $6500.0 8 Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains $6000.0 9 Stored XSS on any page in most Uber domains $6000.0 10 Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account $5750.0 11 Stored XSS on developer.uber.com via admin account compromise $5000.0 12 Hack The World 2017 Top 2 Bonus $5000.0 13 Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. $4500.0 14 Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg $4000.0 15 Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers $3000.0 16 Get organization info base on uuid $3000.0 17 Possibility to enumerate and bruteforce promotion codes in Uber iOS App $3000.0 18 Reflected XSS POST method at partners.uber.com $3000.0 19 Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover $3000.0 20 [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter $3000.0 21 SQL injection in 3rd party software Anomali $2500.0 22 SQLI on desafio5estrelas.com $2500.0 23 [IODR] Get business trip via organization id $2000.0 24 Reflected XSS on Partners Subdomain $2000.0 25 Reflected XSS on multiple uberinternal.com domains $2000.0 26 XSS in ubermovement.com via editable Google Sheets $2000.0 27 Pre-auth Remote Code Execution on multiple Uber SSL VPN servers $2000.0 28 Full read SSRF in flyte-poc-us-east4.uberinternal.com $2000.0 29 [uchat.uberinternals.com] Mattermost doesn't check Origin in Websockets, which leads to the Critical Inforamation Leakage. $2000.0 30 Change the rating of any trip, therefore change the average driver rating $1500.0 31 ubernycmarketplace.com is vulnerable to the Heartbleed Bug $1500.0 32 SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners $1500.0 33 DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ] $1420.0 34 Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains $1000.0 35 Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password $1000.0 36 XSS on partners.uber.com due to no user input sanitisation $1000.0 37 Reflected XSS on https://www.uber.com $1000.0 38 Chained vulnerabilities create DOS attack against users on desafio5estrelas.com $1000.0 39 Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP $750.0 40 API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. $750.0 41 HTML injection via insecure parameter [https://www.ubercarshare.com/] $650.0 42 CBC "cut and paste" attack may cause Open Redirect(even XSS) $500.0 43 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration $500.0 44 Open Redirect in m.uber.com $500.0 45 Improper Access Control on Onelogin in multi-layered architecture $500.0 46 Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ $500.0 47 Open Redirect in riders.uber.com $500.0 48 duplicate hsts headers lead to firefox ignoring hsts on business.uber.com $500.0 49 Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities $500.0 50 Thumbor misconfiguration at blogapi.uber.com can lead to DoS $500.0 51 Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files $500.0 52 Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information $500.0 53 Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF $500.0 54 Cleartext password exposure allows access to the desafio5estrelas.com admin panel $500.0 55 4 Subdomains Takeover on 2 domains ( muberscolombia.com & ubereats.pl ) $500.0 56 [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth $500.0 57 Listing of email addresses of whitelisted business users visible at business.uber.com $250.0 58 Full path disclosure on track.uber.com $100.0 59 Avoiding Surge Pricing $0.0 60 Content injection on 404 error page at faspex.uber.com $0.0 61 Brute Force Amplification Attack $0.0 62 User Enumeration and Information Disclosure $0.0 63 Missing authorization checks leading to the exposure of ubernihao.com administrator accounts $0.0 64 XSS At "pages.et.uber.com" $0.0 65 newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf $0.0 66 Multiple vulnerabilities in a WordPress plugin at drive.uber.com $0.0 67 Bulk UUID enumeration via invite codes $0.0 68 Reading Emails in Uber Subdomains $0.0 69 Changing paymentProfileUuid when booking a trip allows free rides $0.0 70 text injection in get.uber.com/check-otp $0.0 71 Attacker could setup reminder remotely using brute force $0.0 72 Stealing users password (Limited Scenario) $0.0 73 Users can falsely declare their own Uber account info on the monthly billing application $0.0 74 Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront $0.0 75 Authorization issue in Google G Suite allows DoS through HTTP redirect $0.0 76 pam-ussh may be tricked into using another logged in user's ssh-agent $0.0 77 ability to retrieve a user's phone-number/email for a given inviteCode $0.0 78 password reset token leaking allowed for ATO of an Uber account $0.0 79 Session not expired When logout [partners.uber.com] $0.0 80 phone number exposure for riders/drivers given email/uuid $0.0 81 deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” $0.0 82 Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com $0.0 83 The Microsoft Store Uber App Does Not Implement Certificate Pinning $0.0 84 The Microsoft Store Uber App Does Not Implement Server-side Token Revocation $0.0 85 The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting $0.0 86 SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0 87 It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without $0.0 88 Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication $0.0 89 SSL-protected Reflected XSS in m.uber.com $0.0 90 SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0 91 udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0 92 lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0 93 muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint $0.0 94 Design Issue at riders.uber.com/profile $0.0 95 Information Leak - GitHub - Endpoint Configuration Details $0.0 96 No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts $0.0 97 Delay of arrears notification allows Riders to take multiple rides without paying $0.0 98 SMS/Call spamming due to truncated phone number $0.0 99 Open redirect on rush.uber.com, business.uber.com, and help.uber.com $0.0 100 Privacy policy contains hardcoded link using unencrypted HTTP $0.0 101 Lack of payment type validation in dial.uber.com allows for free rides $0.0 102 Physical Access to Mobile App Allows Local Attribute Updates without Authentication $0.0 103 lert.uber.com: Few default folders/files of AURA Framework are accessible $0.0 104 Site-wide CSRF on eats.uber.com $0.0 105 SMS URL verification link does not expire on phone number change and lacks rate limiting $0.0 106 Reflected XSS in lert.uber.com $0.0 107 IDOR on partners.uber.com allows for a driver to override administrator documents $0.0 108 IDOR in activateFuelCard id allows bulk lookup of driver uuids $0.0 109 Subdomain takeover at signup.uber.com $0.0 110 Client secret, server tokens for developer applications returned by internal API $0.0 111 Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance $0.0 112 Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter $0.0 113 Subdomain takeover on mta1a1.spmail.uber.com $0.0 114 Full Path and internal information disclosure+ SQLNet.log file disclose internal network information $0.0 115 [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name $0.0 116 [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools $0.0 117 Cookie Bombing cause DOS - businesses.uber.com $0.0 118 [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB $0.0 119 Uber employees are sharing information on productforums.google.com $0.0 120 Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE $0.0 121 stack trace exposed on https://receipts.uber.com/ $0.0 122 Reflected XSS on https://www.uber.com $0.0 123 Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser $0.0 124 Exposed█████████in apk file - devbuilds.uber.com $0.0 125 IDOR leads to leak analytics of any restaurant $0.0 126 Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees $0.0 127 Unrestricted File Upload Results in Cross-Site Scripting Attacks $0.0 128 Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII $0.0 129 private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events $0.0 130 IDOR leads to See analytics of Loyalty Program in any restaurant. $0.0 131 pam_ussh does not properly validate the SSH certificate authority $0.0 132 CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com $0.0 133 Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com $0.0 134 Google Maps API Key Leakage $0.0 135 Uber Test Report 20220301 $0.0 136 Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII $0.0 137 Exposed Golang Pprof debugger at https://cn-geo1.uber.com/ $0.0 138 Golang expvar Information Disclosure $0.0 139 Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server $0.0