14 DAY TRIAL // Uber is in the process of fixing a slew of security bugs disclosed by security firm Integrity, who discovered and reported 14 issues it found on the company's websites and mobile applications.
The security firm only published details about six of these bugs, as they're waiting on Uber to patch four more.
The first issue they discovered had the potential to launch brute-force attacks against Uber's promo code feature in the riders.uber.com panel for Uber drivers.
Researchers discover 1,000 active promo codes
The researchers found over 1,000 active promo codes by trying countless random promo code combinations and even discovered a $100 ERH (Emergency Ride Home) code that would have added $100 to each driver's fair earnings.
The second issue they discovered allowed researchers to extract user details via the mobile app's Help section, which, in turn, enabled them to get the victim's email address.
The third bug manifested when a user asked a second user to split the ride fare. Researchers said they were able to get the driver and invitee's UUID and then request private information like names, pictures, location, car type, status, rating, phone numbers, and more.
Security firm discovers a method for adding rogue Uber drivers
The fourth problem was in the Uber app's driver activation process. In order for drivers to access a specific area of the Uber app reserved for them, they need to ask the company to activate their account. Integrity researchers discovered that, by toggling the "isActivated" parameter to "true," they could add rogue drivers to the service.
A fifth issue allowed researchers to access a driver's waybill section, from where they had access to the driver's name, license plate, car model, last ride history, and more. Researchers did not disclose all details about this bug because it also allowed them to list the full path of the driver's previous trip.
The sixth issue is derived from the third. Once the researchers got their hands on a user UUID, they were able to get information about that person's trips, in great detail, enough to plot out a map.