Connect with us

Hi, what are you looking for?



Uber Pays Researcher $10,000 for Critical Flaw

A security researcher earned $10,000 through Uber’s bug bounty program for reporting a critical authentication bypass vulnerability affecting a third party WordPress plugin.

A security researcher earned $10,000 through Uber’s bug bounty program for reporting a critical authentication bypass vulnerability affecting a third party WordPress plugin.

Jouko Pynnönen of Klikki Oy noticed that several WordPress-powered Uber domains use OneLogin SAML SSO, a plugin that provides single sign-on via SAML. The researcher discovered that the plugin is plagued by a vulnerability that allows attackers to bypass authentication and gain access to user accounts, including ones with admin privileges, if they can guess the associated role name (e.g. admin, editor, contributor, subscriber).

Pynnönen found that the vulnerability was patched in the latest version of the OneLogin plugin, but it’s unclear if someone else reported the issue to the developer or if it was fixed by mistake since there is no mention of security flaws in the changelog. SecurityWeek has reached out to OneLogin for clarifications.

In Uber’s case, the ride sharing company used an older version of the plugin on all its WordPress websites. Pynnonen demonstrated the existence of the flaw by accessing an account with “subscriber” privileges on the domain, and an account with “administrator” privileges on The expert said he identified seven * domains using WordPress and the vulnerable plugin.

Uber decided to award the bug bounty hunter $10,000, the maximum amount offered by the company, because he demonstrated that an attacker could have used the access to to launch further attacks and execute arbitrary code on

Pynnonen has sent a total of 13 bug reports to Uber, including ones detailing stored and reflected XSS, CSRF, SQL injection and privilege escalation issues. Uber awarded the expert $2,000 or $3,000 for some of the flaws, but some of them have been marked as ineligible after the company made some updates to its bug bounty program.

For example, the company announced in late April that it will not pay separate bounties for each vulnerability reported in a single component (e.g. plugins used on Uber’s WordPress sites). The organization said it will only reward the issue with the highest risk as “it doesn’t make sense to pay out tens of thousands of dollars when the remediation is just removing the poorly designed plugin.”

Advertisement. Scroll to continue reading.

“At the end of the day, rewarding is done at our discretion. Some researchers won’t agree with some of our decisions, but we’re paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and even generous. We will adapt as the program continues,” Uber said.

Related Reading: Yahoo Paid Out $1.6 Million in Bug Bounty Program

Related Reading: Researcher Gets $13,000 for Microsoft Authentication Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.