mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

Unauthorized 3rd Parties Can Send Users Bogus Messages

During research conducted for our 2017 Q1 Enterprise Mobile Threat Report “Uber: Security Risks Come Along with Your Ride”, Appthority researchers discovered a vulnerability that allowed anyone to send bogus SMS and email messages on behalf of Uber (no-reply@uber.com) as well as notifications from within the Uber app itself, by abusing one of Uber’s Partner APIs (https://api.uber.com/v1.2/reminders).

The intended purpose of this API is to allow partner developers to set a reminder for a future trip. However, the access control mechanism for this API was flawed. Thus, anyone with a server_token and a target’s (Uber user) phone number could invoke the /reminders API to send messages.

Appthority notified Uber of this vulnerability through its Bug Bounty program, and although Uber did not pay for the bug find, we are happy to report that Uber has implemented a fix, making its service more secure for users all over the world. Kudos to Uber for not only having a Bug Bounty program, but also for their timely response in addressing security vulnerabilities reported through its system.

Now that Uber has addressed the risk, we can describe the vulnerability in more detail:

Obtaining the server_token is trivial – anyone with an email account can sign up for an Uber developer account and they will automatically be assigned a server_token. Or, one can simply use a server_token available in public forums. Further, Appthority also found 16 apps (listed in the Appendix below) which hard-code server_tokens into their own apps, making them visible to anyone who reverse engineers the app’s source code.

An attack targeting a user with bogus messages can be performed by sending a POST request to the Uber API as follows:

curl -H ‘Content-Type: application/json’      -d ‘{

“reminder_time”: 1484158320,

“phone_number”: “+10000000000“,

“event”: {

“name”: “HACKING”,

“location”: “U R HACKED!!!”,

“latitude”: 37.784223,

“longitude”: -122.403462,

“time”: 1484158320

}

}’

https://api.uber.com/v1.2/reminders?server_token=<server_token>

The reminder_time and event’s time are in UTC format timestamps and can be changed to any future date and time. Similarly, the phone_number and server_token can be also changed.

The above code sends Uber notifications to users if the users have the Uber app installed on their devices (either iOS or Android). Otherwise, Uber sends an SMS to the user asking them to install the Uber app. Emails are also sent to users from Uber servers if they have set the app to send trip reminders to their email address.

Given how widely deployed the Uber app is,  a broader attack could also be achieved by using a public phone directory of mobile users to spam messages to the general public.

Appthority urged Uber to impose stricter restrictions on its APIs such as applying scope (scope of permission request sent to user) and bearer token (access token granted by user) to the /reminders API. Scope and bearer tokens are used for other Uber APIs and they can easily be applied here. First, an app may ask for a permission from a user to send reminders by requesting with its client ID and client secret. After the user approves, Uber sends a bearer token associated with the user to the requesting app.

The /reminders API should be designed so that it can only be invoked by apps that have the bearer tokens. In this way, only the apps, which get approvals from users, will be able to send trip reminders to the respective users.In an enterprise setting, this vulnerability raises a lot of concern. Plenty of corporate executives use the Uber app to commute, travel to/from airports or get to important meetings while on business trips. All an attacker would need is the executive’s mobile phone number (easily obtainable via a business card, email signature, or social engineering) to perform a targeted attack. Imagine an executive traveling abroad receives an Uber alert that their ride is ready, but that the car has changed… displaying a different license plate, car make, and model. This could, at a minimum cause confusion and delay but in the worst case scenario, could enable a physical attack or kidnapping.

Appthority researchers reported this vulnerability and the recommendation to Uber on Jan 12, 2017. Uber fixed this issue on 30 March 2017.

Appendix: Apps that hard-code their Uber server tokens.

Application Name Package Name
Bestaurant  – find friends’ favorite food com.dominicpenaloza.bestaurant
Delhi-NCR Metro com.data.metro.services
Dineout: Restaurant Reservations, Deals, Menus & Reviews com.dineout.book
Drunk Mode – Party App & Friend Locator to find friends for Drinking Safety & Parties com.launch.Drunk-Mode
GuidePal City Guides com.guidepal.android
GuidePal City Travel Guides – best tips for you handpicked by locals com.guidepal.guidepalcityguides
GuidePal, city guides & offline maps com.guidepal.guidepalcityguides
Metro y Metrobus de México com.metromexico
PaidEasy com.production.paideasy
PVR Cinemas com.net.pvr
Time Out: Discover your city com.timeout.ui
Tokyo Haneda FlightPal com.horseboxsoftware.HND
Toulouse Bus : Métro, Bus et Tram à Toulouse net.ppmax.toulousebus
Transit App: Real Time Tracker com.thetransitapp.droid
VZ Navigator com.vznavigator.Generic
Zomato – Restaurant Finder com.application.zomato

 

Back