uber_赏金报告:我们如何发现Uber的开发人员应用程序泄露了客户机密并…-程序员宅基地

技术标签: 安全  cookie  session  http  ajax  

uber

by AppSecure

通过AppSecure

赏金报告:我们如何发现Uber的开发人员应用程序正在泄露客户端机密和服务器令牌 (Bounty report: how we discovered Uber’s developer applications were leaking client secret and server tokens)

This is being published with the permission of Uber under the responsible disclosure policy.

根据负责任的披露政策,此文件已获得Uber的许可。

The vulnerability detailed in this blog post is being disclosed by Anand Prakash and Manisha Sangwan of team AppSecure. This was plugged quickly by the engineering team at Uber.

在这个博客中详细介绍的漏洞正在被披露阿南德·普拉卡什MANISHA Sangwan的AppSecure 。 Uber的工程团队很快将其插入。

This post is about an information leakage vulnerability on riders.uber.com in which we identified an public API endpoint of https://riders.uber.com/profile that could send back server tokens and client secret for applications authorized by the account owner to access their Uber account.

这篇文章是关于riders.uber.com上的一个信息泄漏漏洞,在该漏洞中,我们标识了https://riders.uber.com/profile的公共API端点,该端点可以为帐户所有者授权的应用程序发回服务器令牌和客户端密钥访问他们的Uber帐户。

As per Uber’s documentation:

根据Uber的文档

“The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client_secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.”

“您的应用程序的秘密,应像您的应用程序的密码一样对待。 切勿与任何人共享,将其检查为源代码或在任何公共论坛中发布。 此外,不应在用户可以反编译您的代码并访问机密的客户端设备上分发此文件。 如果您怀疑client_secret已受到威胁,则可以在应用程序的仪表板中生成一个新密码,该密码将立即使旧密码失效。”

This could have been easily exploited by an attacker by connecting their account to any Uber application on production and then using the profile endpoint to retrieve server tokens and client secrets of the connected application in the API response.

通过将攻击者的帐户连接到生产中的任何Uber应用程序,然后使用配置文件终结点在API响应中检索连接的应用程序的服务器令牌和客户端机密,攻击者可以轻松利用此漏洞。

Uber fixed this issue by removing this data from the API response, as reported. Uber publicly notified all developers of this vulnerability and asked developers to rotate secrets on a periodic basis.

如所报道的那样,Uber通过从API响应中删除此数据来解决此问题。 Uber将该漏洞通知了所有开发人员,并要求开发人员定期轮换机密。

关于优步 (About Uber)

Uber is a transportation network company (TNC) headquartered in San Francisco, California. Uber offers services including peer-to-peer ridesharing, taxi cab hailing, food delivery, and a bicycle-sharing system. The company has operations in 785 metropolitan areas worldwide. Uber has a valuation of over $100 billion as per Bloomberg’s report.

Uber是一家交通网络公司(TNC),总部位于加利福尼亚州旧金山。 优步提供的服务包括点对点乘车共享,出租车叫车,送餐和自行车共享系统。 该公司在全球785个都会区设有业务。 根据彭博社的报道,优步的估值超过1000亿美元。

我的漏洞利用程序是如何逐步进行的 (How my exploit worked step-by-step)

第1步 (Step 1)

Attacker connects a random Uber developer application to their account using OAuth. A few examples of Uber developer applications are IFTTT, Payfare, and Bixby. It is not identified as a complicated procedure as of now.

攻击者使用OAuth将随机的Uber开发人员应用程序连接到他们的帐户。 UFT开发人员应用程序的一些示例是IFTTTPayfareBixby 。 到目前为止,尚未将其识别为复杂的过程。

第2步 (Step #2)

Once the above apps are connected by the attacker to their Uber account, they can use against the endpoint to get the developer application’s confidential data and other significant information of the application using the attacker’s session data.

一旦上述应用程序被攻击者连接到他们的Uber帐户,它们就可以针对端点使用攻击者的会话数据来获取开发人员应用程序的机密数据和应用程序的其他重要信息。

The vulnerable Uber API:

易受攻击的Uber API:

POST /api/getAuthorisedApps HTTP/1.1Host: riders.uber.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://riders.uber.com/profilecontent-type: application/jsonx-csrf-token: XXXorigin: https://riders.uber.comContent-Length: 2Cookie:

POST /api/getAuthorisedApps HTTP/1.1 Host: riders.uber.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://riders.uber.com/profile content-type: application/json x-csrf-token: XXX content-type: application/json x-csrf-token: XXX origin: https://riders.uber.com x-csrf-token: XXX origin: https://riders.uber.com Content-Length: 2 Cookie:

Data getting leaked in API response:

API响应中的数据泄漏:

{“status”:”success”,”data”:{“data”:{“uuid”:”xxxx”},”clientScopes”:{“authorizedClientScopes”:[{“clientID”:”xxx”,”scopes”:[“history”,”offline_access”,”profile”]}]},”scopeDetails”:[{“applicationDetails”:{“applicationID”:”xxx”,”owner”:{“userUUID”:”xxxx”,”userEmail”:””},”applicationSecret”:”xxx”,”name”:”xxx”,”description”:”abc”,”privacyPolicyURL”:”https://appsecure.in","surgeConfirmedRedirectURI":"","webhookURL":"","applicationType":"","requestsPerHour":{"low":0,"high":0,"unsigned":false},"redirectURIs":["xxxxxx"],"appSignatures":[],"defaultScopes":["history","profile"],"whitelistedScopes":[],"originURIs":[],"serverTokens":["xxx"],"ipWhitelist":[],"admins":[{"userUUID":"xxxx","userEmail":""},{"userUUID":"xxxx","userEmail":""},{"userUUID":"xxxx","userEmail":""}],"developers":[{"userUUID":"xxxx","userEmail":""}],"tags":[],"oauthEnabled":false,"smsVerificationEnabled":false,"cobrandingEnabled":false,"supplyOnly":false,"isInternal":true,"cobrandingDetails":{"nativeURL":"","androidFallbackURL":"","iosFallbackURL":"","displayName":"","linkName":"","logoUUID":"","logoFiletype":"","generatedLogoURL":""},"availableScopes":["delivery","history","history_lite","places","profile","ride_widgets"],"openScopes":["delivery","history","history_lite","places","profile","ride_widgets"],"developerScopes":["all_trips","request","request_receipt"],"createdAt":{"low":xxx,"high":0,"unsigned":false},"updatedAt":{"low":xxx,"high":0,"unsigned":false},"displayName":null,"iconURL":null,"publicDescription":null,"appGalleryDetails":{"mobilePlatforms":[],"publicationState":"","redirectURI":"xxxx","permissionState":""}},"permissions":null,"userRoleInvitations":null}]}}

{“status”:”success”,”data”:{“data”:{“uuid”:”xxxx”},”clientScopes”:{“authorizedClientScopes”:[{“clientID”:”xxx”,”scopes”:[“history”,”offline_access”,”profile”]}]},”scopeDetails”:[{“applicationDetails”:{“applicationID”:”xxx”,”owner”:{“userUUID”:”xxxx”,”userEmail”:””},”applicationSecret”:”xxx”,”name”:”xxx”,”description”:”abc”,”privacyPolicyURL”:” https://appsecure.in ","surgeConfirmedRedirectURI":"","webhookURL":"","applicationType":"","requestsPerHour":{"low":0,"high":0,"unsigned":false},"redirectURIs":["xxxxxx"],"appSignatures":[],"defaultScopes":["history","profile"],"whitelistedScopes":[],"originURIs":[],"serverTokens":["xxx"],"ipWhitelist":[],"admins":[{"userUUID":"xxxx","userEmail":""},{"userUUID":"xxxx","userEmail":""},{"userUUID":"xxxx","userEmail":""}],"developers":[{"userUUID":"xxxx","userEmail":""}],"tags":[],"oauthEnabled":false,"smsVerificationEnabled":false,"cobrandingEnabled":false,"supplyOnly":false,"isInternal":true,"cobrandingDetails":{"nativeURL":"","androidFallbackURL":"","iosFallbackURL":"","displayName":"","linkName":"","logoUUID":"","logoFiletype":"","generatedLogoURL":""},"availableScopes":["delivery","history","history_lite","places","profile","ride_widgets"],"openScopes":["delivery","history","history_lite","places","profile","ride_widgets"],"developerScopes":["all_trips","request","request_receipt"],"createdAt":{"low":xxx,"high":0,"unsigned":false},"updatedAt":{"low":xxx,"high":0,"unsigned":false},"displayName":null,"iconURL":null,"publicDescription":null,"appGalleryDetails":{"mobilePlatforms":[],"publicationState":"","redirectURI":"xxxx","permissionState":""}},"permissions":null,"userRoleInvitations":null}]}}

披露时间表 (Disclosure Timeline)

October 5th, 2018: Report sent to Uber’s Security team.

2018年10月5日:向Uber安全团队发送了报告。

November 6th, 2018: Issue resolved by Uber. AppSecure asked Uber to notify all developers in case their app secrets were no longer confidential. We verified the fix.

2018年11月6日: Uber解决了该问题。 AppSecure要求Uber通知所有开发人员,以防他们的应用程序秘密不再机密。 我们验证了此修复程序。

December 20th 2018: Uber replied, stating, “They are in process of notifying the developers and in process of putting up long term fix in place for this issue.”

2018年12月20日: Uber回答说:“他们正在通知开发人员,并正在就此问题进行长期修复。”

February 8th 2019: Uber rewarded us with $5000 bounty and notified all developers via email about the same. The issue was publicly disclosed after the action was conducted.

2019年2月8日: Uber奖励我们5000美元的赏金,并通过电子邮件通知所有开发人员相同的信息。 采取行动后,该问题已公开披露。

翻译自: https://www.freecodecamp.org/news/leakage-of-client-secret-server-tokens-of-all-uber-developer-applications-657d9d7fd30e/

uber

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/cumian8165/article/details/108155592

智能推荐

python实现在 Mac 10.9 远程桌面截屏抓取_mac 监控截屏-程序员宅基地

文章浏览阅读2k次。照样画葫芦,用python编写了一段小程序,可以使用ipad的web浏览器远程监控远端iMac主机界面(每秒截屏,非流控),与大家分享。1. 首先介绍一下需要下载的第三方工具:Flask,PyscreenshotFlask用来做web服务器,Pyscreenshot是用来截屏的。用pip install 分别安装即可2. 介绍程序文件架构如下,需要simplesvr_mac 监控截屏

centos7安装后一直出现pcieport 0000:00:1c.5的解决_dpc:error containment capabilities-程序员宅基地

文章浏览阅读4.7k次,点赞3次,收藏7次。安装完centos7后进入时一直不停出现pcieport 0000:00:1c.5字样,这个的具体原因尚不完全清楚,解决方法查到的都是一种,就是在/etc/default/grub中的GRUB_CMDLINE_LINUX的内容最后添加pci=nomsi或者pci=noaer或者pcie_aspm=off,这样的确可以,但是更新的步骤需要grub2-mkconfig -o /boot/efi/EFI..._dpc:error containment capabilities

目前看到的最好的RNN、LSTM、GRU博客:Understanding LSTM Networks_humans don鈥檛 start their thinking from scratch eve-程序员宅基地

文章浏览阅读735次。原文:http://colah.github.io/posts/2015-08-Understanding-LSTMs/Recurrent Neural NetworksHumans don’t start their thinking from scratch every second. As you read this essay, yo_humans don鈥檛 start their thinking from scratch every second.

maven/conf/settings.xml完整配置(3处)_apache-maven-3.9.2\conf\settings.xml-程序员宅基地

文章浏览阅读1.4k次。<?xml version="1.0" encoding="UTF-8"?><!--Licensed to the Apache Software Foundation (ASF) under oneor more contributor license agreements. See the NOTICE filedistributed with this work for additional informationregarding copyright ownersh._apache-maven-3.9.2\conf\settings.xml

基于Python的逆向工程:ELF文件_逆向工程 python-程序员宅基地

文章浏览阅读6.4k次。当解决复杂的逆向问题时,我们常使用radare2或IDA等成熟工具进行反汇编和调试。但有时也需要深入挖掘并了解它们是如何运作的。编写一些反汇编脚本对于自动化某些流程非常有用,并且可以形成自己的逆向工具链。至少,这是我现在正在尝试的事情。配置环境如标题所说的那样,你需要先安装Python 3。如果你无法确定是否安装了Python 3,可以运行如下命令:其中capstone是..._逆向工程 python

四种方法实现:找出数组中两个只出现一次的数字_一个数组中找出出现一次的2个数字-程序员宅基地

文章浏览阅读2.6k次。//先排序然后查找void FindNumsAppearOnce1(vector&lt;int&gt; data, int* num1, int *num2) { if (data.size() &lt; 2) return; sort(data.begin(), data.end()); vector&lt;int&gt; res; for (int i = 0; i &lt;..._一个数组中找出出现一次的2个数字

随便推点

开箱即用的 WebRTC 开发环境_xujianzhu webrtc开箱即用-程序员宅基地

文章浏览阅读333次。本文是 Piasy 原创,发表于 https://blog.piasy.com,请阅读原文支持原创 https://blog.piasy.com/2017/06/17/out-of-the-box-webrtc-dev-env/在刚刚落幕的 WWDC17 上,苹果为我们带来了一个不小的惊喜 —— 其浏览器内核WebKit将正式支持 WebRTC,而未来基于 WebKit 内核的苹果浏览器,比如m..._xujianzhu webrtc开箱即用

从ResNet101到ResNet50_resnet50 使用什么代替-程序员宅基地

文章浏览阅读3.3w次,点赞5次,收藏21次。一直用VGG训练,几天前想看下ResNet的效果如何,因为SSD源码中有python实现的ResNet网络结构实现代码,包含ResNet101和ResNet152,直接拿ResNet101来训练,GTX1060配置,batchsize竟然只降到2才跑的起来,果然一直收敛不了。看了下model_libs.py里面的实现代码:def ResNet101Body(net, from_layer, u_resnet50 使用什么代替

vivado ILA在线逻辑仪使用_vivado ila 下一触发沿-程序员宅基地

文章浏览阅读1.1w次,点赞12次,收藏131次。目录:1、在线逻辑分析仪简介2、HDL 实例化调试探针流程(实验-闪烁灯)3、Hardware Manager中观察调试信号4、网表插入调试探针流程(实验-闪烁灯)1、在线逻辑分析仪简介在线逻辑分析仪借用了传统逻辑分析仪的理念以及大部分的功能,并利用 FPGA 中的逻辑资源,将这些功能植入到 FPGA 的设计当中。一般地,在线逻辑分析仪的应用原理框图如下图所示:​ 待测设计(Design Under Test,DUT)就是用户逻辑,它和片内的在线逻辑分析仪都位于 FPGA中。在线逻辑分_vivado ila 下一触发沿

数据库索引的使用_db2数据库索引的使用-程序员宅基地

文章浏览阅读3.5k次。今天发现一个问题,问题大概是这样的,查询interface的信息,在本地使用本地的数据库访问没有问题,但是发布到服务器上以后访问速度就特别的忙,需要5分钟左右才能返回数据,这肯定是无法让人接受的,刚开始以为是服务器性能的问题,为了验证就把服务器上的数据库备份到本地,发现本地的速度也马上慢了下来,到底是什么问题的。看了一下查询interface的sql语句不禁吓了一跳: _db2数据库索引的使用

win7下mysql的安装_[root@gaojiao ~]# mysql -uroot error 1045 (28000):-程序员宅基地

文章浏览阅读3.1k次。一 , 当前mysql的最新版本是5.5.25a。到http://dev.mysql.com/downloads/mysql/下载mysql安装文件 。我们这里下载mysql-5.5.25a-win32.msi就可以了,下载完,直接点击安装。mysql有好几个版本,稍微了解下各个版本之间的区别:  MySQL Community Server :社区版本 不提供官方技术支持,是免费的_[root@gaojiao ~]# mysql -uroot error 1045 (28000): access denied for user 'r

PHP微信公众平台开发高级篇--群发接口_微信公众号根据标签群发接口支持数组传参吗-程序员宅基地

文章浏览阅读2.3k次。群发消息接口订阅号:每天一条的群发权限服务号:每月(自然月)4条群发权限实例&lt;?php/** * 群发接口 * PS:群发之前调用“预览接口”进行测试 * PS:通过第三方后台调用微信上传图片素材接口,获取图片url,如:{"url":"http:\/\/mmbiz.qpic.cn\/mmbiz_jpg\/BdxWN2kspVgJOFpRHJojlWmbl0pM..._微信公众号根据标签群发接口支持数组传参吗