How Hackers Can Hack Uber and Track You

Posted on Jun 26 2016 - 3:34am by TekGuru

Recently a few white hat hackers are Integrity have been very busy hacking Uber. What they ran across is quite scary. Hackers can hack into Uber and track where you are going.

To gather  information about Uber sub domains they need to do a  dns brute-force.

Subdomains Possible to View Driver Waybill via Driver UUID

Using the previous vulnerability they were able to test a new functionality called waybill. By crafting the request that the app sends, they then notice that it has a broken access control vulnerability that allowed them to see the last trip from every driver, by only knowing his uuid.

05_01
Request for waybill of other driver

To get a driver UUID you can, for example, request a random car, let the driver accept the trip and after this you cancel it. In the meanwhile you are able to capture the driver UUID.

In the response of this request, they were able to get the driver name, license plate, last tripUUID, last passenger name, number of passengers, the origin and destination of the trip.

05_02
Detailed response of driver’s waybill

Notice the TRIP # in this response? To get the full path of the trip, they ended up discovering a new functionality that returns the full path of the trip, the driver nameclient name, license plate and even the car model.

They did not give details about this  function this moment.

05_03
Full path of the trip

Of course there is a lot more information then I would care to go into. If you want  you could read the article here: https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you-are-where-you-are-and-where-you-went/

About the Author

I love anything that is tech related, gaming, science, movies ect. I am the owner and founder of AllThatTek.

Leave A Response