Security Experts:

Connect with us

Hi, what are you looking for?



Uber Pays Researcher $10,000 for Critical Flaw

A security researcher earned $10,000 through Uber’s bug bounty program for reporting a critical authentication bypass vulnerability affecting a third party WordPress plugin.

A security researcher earned $10,000 through Uber’s bug bounty program for reporting a critical authentication bypass vulnerability affecting a third party WordPress plugin.

Jouko Pynnönen of Klikki Oy noticed that several WordPress-powered Uber domains use OneLogin SAML SSO, a plugin that provides single sign-on via SAML. The researcher discovered that the plugin is plagued by a vulnerability that allows attackers to bypass authentication and gain access to user accounts, including ones with admin privileges, if they can guess the associated role name (e.g. admin, editor, contributor, subscriber).

Pynnönen found that the vulnerability was patched in the latest version of the OneLogin plugin, but it’s unclear if someone else reported the issue to the developer or if it was fixed by mistake since there is no mention of security flaws in the changelog. SecurityWeek has reached out to OneLogin for clarifications.

In Uber’s case, the ride sharing company used an older version of the plugin on all its WordPress websites. Pynnonen demonstrated the existence of the flaw by accessing an account with “subscriber” privileges on the domain, and an account with “administrator” privileges on The expert said he identified seven * domains using WordPress and the vulnerable plugin.

Uber decided to award the bug bounty hunter $10,000, the maximum amount offered by the company, because he demonstrated that an attacker could have used the access to to launch further attacks and execute arbitrary code on

Pynnonen has sent a total of 13 bug reports to Uber, including ones detailing stored and reflected XSS, CSRF, SQL injection and privilege escalation issues. Uber awarded the expert $2,000 or $3,000 for some of the flaws, but some of them have been marked as ineligible after the company made some updates to its bug bounty program.

For example, the company announced in late April that it will not pay separate bounties for each vulnerability reported in a single component (e.g. plugins used on Uber’s WordPress sites). The organization said it will only reward the issue with the highest risk as “it doesn’t make sense to pay out tens of thousands of dollars when the remediation is just removing the poorly designed plugin.”

“At the end of the day, rewarding is done at our discretion. Some researchers won’t agree with some of our decisions, but we’re paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and even generous. We will adapt as the program continues,” Uber said.

Related Reading: Yahoo Paid Out $1.6 Million in Bug Bounty Program

Related Reading: Researcher Gets $13,000 for Microsoft Authentication Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.