Client secret, server tokens for developer applications returned by internal API
State Resolved (Closed)
Disclosed publicly 2019-02-08T06:28:47.213Z
Reported To
Weakness Information Disclosure
Bounty $5,000
Collapse

Summary by appsecure_in

@appsecure_in identified an internal API for https://riders.uber.com that could return client_secret and server token for applications authorized by the account owner to access their Uber account. We restricted the data returned by this endpoint.

Thanks for bringing this to our attention, @appsecure_in!

Timeline
submitted a report to Uber .
2018-10-05T17:37:55.598Z

Regards,
Frans

  • 0 attachments:
lindsey-uber Activities::Comment
2018-10-05T17:39:00.741Z


lindsey-uber Activities::BugTriaged
2018-10-11T12:03:31.480Z


appsecure_in Activities::Comment
2018-10-13T03:55:25.256Z


appsecure_in Activities::Comment
2018-10-13T04:25:31.652Z


lindsey-uber Activities::BugResolved
2018-11-06T15:56:14.638Z


appsecure_in Activities::Comment
2018-11-06T16:11:59.492Z


appsecure_in Activities::Comment
2018-11-29T15:08:16.781Z


lindsey-uber Activities::Comment
2018-11-29T16:23:34.694Z


appsecure_in Activities::ReportCollaboratorInvited
2018-12-14T17:01:45.279Z


appsecure_in Activities::Comment
2018-12-14T17:02:26.648Z


sangwan Activities::ReportCollaboratorJoined
2018-12-14T19:34:10.560Z


tno Activities::Comment
2018-12-15T01:04:54.031Z


Activities::BountyAwarded
2018-12-20T00:00:56.981Z


Activities::BountyAwarded
2018-12-20T00:00:57.820Z


lindsey-uber Activities::Comment
2018-12-22T00:37:32.467Z


Activities::BountyAwarded
2019-02-08T03:48:42.184Z


Activities::BountyAwarded
2019-02-08T03:48:43.047Z


lindsey-uber Activities::ReportTitleUpdated
2019-02-08T03:50:14.703Z


lindsey-uber Activities::AgreedOnGoingPublic
2019-02-08T03:50:43.999Z


appsecure_in Activities::AgreedOnGoingPublic
2019-02-08T06:28:47.171Z


appsecure_in Activities::ReportBecamePublic
2019-02-08T06:28:47.235Z