Hi fellow Hackers,
At first Ramadan Kareem! Wishing everyone a very happy Ramadan. Today I will write about an Insecure direct object references (IDOR) vulnerability that I recently discovered in Uber Eats Restaurant.
The Uber Eats Restaurant web application at https://restaurant.uber.com/ is using GraphQL. Back in March, I was doing a collaboration on a Uber report with Sifat Bhai. On that engagement, he discovered an IDOR in GraphQL that leaks data of other Restaurants but that leaked data was not giving any sensitive information to make a report on it. So I decided to take a look at that functionality.
Issue Background: In the Uber Eats for Restaurant dashboard, there is an Analytics option where store owners can see Restaurant Analytics of the last 12 months. Analytics endpoint looks
/analytics/sales where multiple GraphQL requests pullup all data and parse it in that webpage to a readable view. Now I noticed all those requests contain locationUUIDs parameter like
"locationUUIDs":["0292a209-df33-496b-b65b-192c86603d48"]} where 0292a209-df33-496b-b65b-192c86603d48 is my own test account locationUUIDs value. When I changed the locationUUIDs value to another account locationUUIDs value it responded the same with some JSON data in the body that took my attention. But still response body data is not helpful as it is not properly readable and in order to read the data we need to parse it through the webpage.
Automation with Burp: To do the data parsing job I used Burp Suite Tool’s Match and Replace option.
In Burp go to Proxy => Options => Match and Replace
- Click on Add and set up a rule like the below screenshot where Match value is my own restaurant’s locationUUIDs and Replace value is any other restaurant’s locationUUIDs.
- I also added a rule like the below screenshot to change the currency from BDT to USD to get all analytics in USD currency.
- Visit https://restaurant.uber.com and log in using a valid restaurant account username and password and do proper authentication.
- Now setup Burp Suite Tools with that browser and keep Intercept OFF
- All request of the browser will go through Burp & Match and Replace rule will replace all
locationUUIDsparameter value and all data will parse into a readable view on that webpage.
An attacker can access all analytics of a restaurant what includes actions
- Choose a date range to see that date range analytics.
- Orders analytics view and Clicking on Download will Download a CSV copy.
- Track orders placed over time to monitor a restaurant’s popularity.
- Track ticket size over time to see if a restaurant’s receiving larger orders.
- Learn when a target store tends to generate most of its sales.
- Learn when customers tend to place the most orders in a target restaurant.
- Learn when customers tend to place the largest orders in a target restaurant.
- See which items are a restaurant’s top sellers.
To exploit a stored attacker just needs the locationUUIDs parameter value and I showed the Uber Security team a promising way to fuzz the value for any restaurant. This vulnerability was reported in report #1116387 under Uber Bug Bounty Program and
$2,000 Bounty was Rewarded. Check out the video POC too.
Hope you guys enjoyed this one.