How Hackers Can Hack Uber and Track You

Recently a few white hat hackers are Integrity have been very busy hacking Uber. What they ran across is quite scary. Hackers can hack into Uber and track where you are going.

To gather  information about Uber sub domains they need to do a  dns brute-force.

Subdomains
05_01
Request for waybill of other driver

To get a driver UUID you can, for example, request a random car, let the driver accept the trip and after this you cancel it. In the meanwhile you are able to capture the driver UUID.

In the response of this request, they were able to get the driver name, license plate, last tripUUID, last passenger name, number of passengers, the origin and destination of the trip.

05_02
Detailed response of driver’s waybill

Notice the TRIP # in this response? To get the full path of the trip, they ended up discovering a new functionality that returns the full path of the trip, the driver nameclient name, license plate and even the car model.

They did not give details about this  function this moment.

05_03
Full path of the trip

Of course, there is a lot more information then I would care to go into. If you want you could read the article here.