• News
  • Analysis
  • Reviews
  • Education

The Merkle News

Menu
  • Featured
  • News
  • Market Analysis
  • Memecoins
  • Press Releases

White Hat Hacker Saved Uber From Login Bypass Exploit

JP Buntinx June 8, 2016
TheMerkle_Uber

As it turns out, no company is safe from exploits or vulnerabilities. Not even Uber, who paid a researcher US$10,000, to not reveal his login bypass exploit. Such a vulnerability could effectively cripple the service if the information got into the wrong hands.

Uber Was Vulnerable To Dangerous Exploit

TheMerkle_Uber Login Bypass Exploit

The security vulnerability would have had some nasty effects on the Uber network. Bypassing the login form would let attacks access specific “.uber.com” websites, which could affect the company’s internal network.  Nipping the potential flaws in the bud at an early stage is always the best strategy for a company.

Luckily for Uber, a white hat security researcher disclosed the bug to the company. If it had been a black hat hacker, the vulnerability would not have been reported, and there is no telling as to what would have happened. The researcher was paid a US$10,000 bounty for discovering this bug, which is the highest bounty Uber has ever paid out since launching the program earlier this year.

What this vulnerability does exactly, is letting attackers bypass the system used for Uber employee authentication. Additionally, it would have been possible to compromise the company’s internal network which is hosted on Atlassian’s Confluence software. Bypassing this login would allow an attacker to access the Uber Newsroom, which is running on WordPress.

OneLogin is the company responsible for authenticating users on the WordPress backend. However, it is possible to enter any username or wanted role, as the plugin will create a new user if the username does not exist yet. If an attacker can guess the right role name – such as “Administrator – it is possible to create a new account and wreak all kinds of havoc.

Compromising Uber’s internal network is a more serious concern, though. Attacks would have been able to achieve remote code execution, as they can inject Javascript from the NewsRoom directly. Luckily, the company fixed all issues within 36 hours after finding out about what was going on.

Source: Threatpost

Images credit 1,2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.

About The Author

Jdebunt

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Press Releases

  • Ethereum Altcoin Season Is About To Start …
    May 15, 2025
  • Why Staking Is the Best Way to …
    May 15, 2025
  • Missed Dogwifhat’s Moonshot? Trollercat’s 6,000% Presale Gains …
    May 13, 2025
  • Highest-ROI Crypto: BlockDAG Leads With $235M Presale …
    May 11, 2025
  • Cold Wallet’s Token Offers Huge ROI, AVAX …
    May 6, 2025

Popular Posts

  • Ethereum Reclaims Momentum Amid Pectra Upgrade and …
    May 16, 2025
  • Whales Are Accumulating Ethereum: What Does This …
    April 19, 2025
  • Bitcoin Price Analysis for May 29th - BTC Going to Grow
    Bitcoin Market Trends Indicate Potential Shift as …
    April 19, 2025
The Merkle News Copyright © 2025.