Uber pays $9,000 bug bounty payoff for partner firm’s vulnerability

Share this…

A security expert discovered a flaw in a ransomware protection service that opened Uber service, and many others, to cyber attacks.

The Russian penetration tester Vladimir Ivanov from the security firm Positive Technologies has discovered a vulnerability in anti-ransomware backup service Code42. The flaw could be exploited by attackers to steal data from the organizations using the services, including Uber,  Adobe, and Lockheed Martin.

Uber flaw

Ivanov discovered the XML external entity vulnerability while it was searching for flaws in the Uber service that was covered by the bug bounty program of the company.

Ivanov reported the flaw to Uber that agreed to pay him US$9,000 considering that Code42 doesn’t have a bug bounty program.

“The only option to break the service and get a bounty for pwning the [Code42] application was to find a zero day,” Ivanov says.

“[The vulnerability] could give access to backups of all users in a given company. Uber security guys were excited with this vulnerability: they contacted vendor and confirmed that this vulnerability was a zero day.”

An XML External Entity issue occurs everytime an XML input containing a reference to an external entity is processed by a not properly configured XML parser, as a result, it can cause the disclosure of confidential data, denial of service conditions and trigger server-side request forgery attacks.

Ivanov reported the issue to Uber in May through its HackerOne bug bounty, then the company informed Code42 of the flaw that promptly fixed it.

“As a proof-of-concept for Uber, I retrieved the contents of /home/ directory of the server, which was a nice impact illustration to my report at Hackerone,” wrote Ivanov.

“I like to show impact of a given vulnerability, so you don’t have to ask me twice. Given permission to show further exploitation, I quickly found the folder, where backup logs were stored. ”

Uber flaw

Code42 asked Ivanov to wait all customers had applied the security updates to fix the flaw before publicly disclose it.