Security Experts:

Uber Pays Researcher $10,000 for Critical Flaw

A security researcher earned $10,000 through Uber’s bug bounty program for reporting a critical authentication bypass vulnerability affecting a third party WordPress plugin.

Jouko Pynnönen of Klikki Oy noticed that several WordPress-powered Uber domains use OneLogin SAML SSO, a plugin that provides single sign-on via SAML. The researcher discovered that the plugin is plagued by a vulnerability that allows attackers to bypass authentication and gain access to user accounts, including ones with admin privileges, if they can guess the associated role name (e.g. admin, editor, contributor, subscriber).

Pynnönen found that the vulnerability was patched in the latest version of the OneLogin plugin, but it’s unclear if someone else reported the issue to the developer or if it was fixed by mistake since there is no mention of security flaws in the changelog. SecurityWeek has reached out to OneLogin for clarifications.

In Uber’s case, the ride sharing company used an older version of the plugin on all its WordPress websites. Pynnonen demonstrated the existence of the flaw by accessing an account with “subscriber” privileges on the eng.uber.com domain, and an account with “administrator” privileges on newsroom.uber.com. The expert said he identified seven *.uber.com domains using WordPress and the vulnerable plugin.

Uber decided to award the bug bounty hunter $10,000, the maximum amount offered by the company, because he demonstrated that an attacker could have used the access to newsroom.uber.com to launch further attacks and execute arbitrary code on team.uberinternal.com.

Pynnonen has sent a total of 13 bug reports to Uber, including ones detailing stored and reflected XSS, CSRF, SQL injection and privilege escalation issues. Uber awarded the expert $2,000 or $3,000 for some of the flaws, but some of them have been marked as ineligible after the company made some updates to its bug bounty program.

For example, the company announced in late April that it will not pay separate bounties for each vulnerability reported in a single component (e.g. plugins used on Uber’s WordPress sites). The organization said it will only reward the issue with the highest risk as “it doesn’t make sense to pay out tens of thousands of dollars when the remediation is just removing the poorly designed plugin.”

“At the end of the day, rewarding is done at our discretion. Some researchers won't agree with some of our decisions, but we're paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and even generous. We will adapt as the program continues,” Uber said.

Related Reading: Yahoo Paid Out $1.6 Million in Bug Bounty Program

Related Reading: Researcher Gets $13,000 for Microsoft Authentication Flaw

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.