uber

by AppSecure

通过AppSecure

这就是我本可以免费骑Uber的方式 (Here’s how I could’ve ridden for free with Uber)

摘要 (Summary)

This post is about a critical bug on Uber which could have been used by hackers to get unlimited free Uber rides anywhere in the world. This post also explains few best practices while integrating payment gateways.

这篇文章是有关Uber的一个严重错误的，该漏洞可能已被黑客用来在世界任何地方获得无限制的免费Uber游乐设施。这篇文章还介绍了集成支付网关时的一些最佳做法。

描述 (Description)

Uber Technologies Inc. is an online transportation network company, headquartered in San Francisco, California, with operations in 528 cities worldwide. Users can create their account on Uber.com and book a ride. When the ride is completed a user can either pay cash or charge it to their credit/debit card.

Uber Technologies Inc.是一家在线运输网络公司，总部位于加利福尼亚州旧金山，在全球528个城市设有业务。用户可以在Uber.com上创建他们的帐户并预定行程。乘车完成后，用户可以支付现金或将其记入信用卡/借记卡。

But, by specifying an invalid payment method (for example, abc, xyz, and so on), I was able to ride Uber for free.

但是，通过指定无效的付款方式(例如abc，xyz等)，我可以免费乘坐Uber。

To demonstrate the bug, I got permission from the Uber Team and took a free ride in India. I wasn’t charged for any of my rides, using the invalid payment method.

为了演示该错误，我获得了Uber团队的许可，并在印度免费乘车。我使用无效的付款方式未向我的任何游乐设施收费。

脆弱的要求： (Vulnerable request:)

POST /api/dial/v2/requests HTTP/1.1 Host: dial.uber.com {“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

POST / api / dial / v2 / requests HTTP / 1.1主机：Dial.uber.com {“ start_latitude”：12.925151699999999，“ start_longitude”：77.6657536，

重现步骤： (Steps to reproduce:)

Replayed the above request with random characters as payment_method_id.使用随机字符作为payment_method_id重播了上述请求。
Ride was free.骑是免费的。

影片POC： (Video POC:)

Thanks to Uber Security team for fixing this quickly.

感谢Uber Security团队Swift修复了此问题。

时间表 (The timeline)

Aug 22nd 2016: Vulnerability Report to Uber.

2016年8月22日：给Uber的漏洞报告。

Aug 26th 2016: Uber requested more information about the bug.

2016年8月26日：Uber要求提供有关该错误的更多信息。

Aug 26th 2016: Took a free ride and replied with ride details

2016年8月26日：免费乘车，并提供了乘车详细信息

Aug 27th 2016: Vulnerability fixed by Uber.

2016年8月27日：Uber修复了漏洞。

Sep 10th 2016: Rewarded with $5000 bounty by Uber.

2016年9月10日：Uber奖励$ 5000赏金。

外卖 (Takeaways)

As a developer, you should always take care of the below test cases when integrating payments:

作为开发人员，在集成付款时，应始终注意以下测试用例：

a) Verify if the payment was success or failure by doing a server to server request to payment gateway or verifying checksum to the payment gateway provider.

a)通过执行服务器到服务器对支付网关的请求或验证对支付网关提供商的校验和，来验证支付是成功还是失败。

b) Always validate the amount of the item with the amount which was paid by the user to the payment gateway.

b)始终用用户支付给支付网关的金额来验证商品的金额。

c) Validate currency in the payment API calls. For example, the attacker can pay 50 IDR for a 50 USD item.

c)验证支付API调用中的货币。例如，攻击者可以为50美元的物品支付50 IDR。

d) If you are storing credit cards/debit card information, then always check for authorisation if an identifier is being passed in one of the API requests.

d)如果您存储的是信用卡/借记卡信息，请始终检查授权是否在API请求之一中传递了标识符。

AppSecure is a specialised cyber security company with years of skill acquired and meticulous expertise. We are here to safeguard your business and critical data from online and offline threats or vulnerabilities.

AppSecure是一家专业的网络安全公司，具有多年的专业技能和专业知识。我们在这里保护您的业务和关键数据免受在线和离线威胁或漏洞的侵害。

Contact us: hello@appsecure.in

与我们联系： hello@appsecure.in

翻译自: https://www.freecodecamp.org/news/how-anyone-could-have-used-uber-to-ride-for-free-36cdee5ea854/