Gaining access to Uber's user data through AMPScript evaluation

Modern development and infrastructure management practices are fast paced and constantly evolving. In the race to innovate and expand, new assets are being deployed and exposed to the public Internet rapidly and existing assets are continuously evolving.

Keeping pace with this evolving attack surface is hard enough, let alone securing those applications and systems. Traditional point-in-time and static security approaches simply can’t keep up, and proactively managing threats in this dynamic environment can seem like an impossible task.

The only way to get a handle on this issue is to shift the approach towards security assessment to be continuous and asset-aware. When monitoring a large attack surface with our Continuous Security Platform, we often discover changes to infrastructure that lead to new or undiscovered vulnerabilities.

This was the case when we were investigating an obscure subdomain that had been discovered by Assetnote’s Continuous Security Platform for Uber’s bug bounty: exacttarget-web-hook.uber.com.

For quite some time, the subdomain returned a plain and boring looking “Not Found” error generated by an Express.js webserver.

However, out of the blue, one day the subdomain responded with what seemed to be a comprehensive internal test bed for Uber’s message personalization system:

‍

At first glance, the application looked like an API console made for testing text messages that contain user personalization.

We attempted to use the API console with the provided “Test Contact Key”, however failed to get the API working. After some investigation, we determined it was because the contactKey parameter needed to be our authenticated account’s UUID rather than the one provided on the API console page. We extracted our account’s UUID through the HTML source of https://riders.uber.com/profile once logged in.

After swapping out the contactKey with the UUID of our Uber account, we were able to send API requests to the preview endpoint:

The screenshot of the API console as shown earlier in this blog post contained an example “Message” for the preview endpoint:

From investigating the syntax and making the connection from the subdomain name exacttarget-web-hook, we realized that the above code was actually AMPScript.

Salesforce’s Marketing Cloud provides AMPScript as a scripting language that can be embedded within HTML emails, text emails, landing pages, and SMS messages to control the content being displayed to individual consumers. AMPScript was developed by ExactTarget, which was then acquired by Salesforce in 2013.

Using the example AMPScript provided in the API console failed, so we started investigating if we could actually evaluate AMPScript at all. We soon found the HTTPGet function that would send a HTTP GET request and return the response content:

Great! We’re able to evaluate arbitrary AMPScript! However, the request that we sent through the HTTPGet function didn’t originate from an Uber owned server, it actually originated from AS22606 ExactTarget, Inc. as seen in the screenshot above.

In order to demonstrate the impact of this bug, we extracted user data from the data extension named driver_partners. Data extensions are database tables that can be accessed through AMPScript’s Data Extension functions.

From reading the AMPScript documentation about the LookupRows function, we were able to craft an AMPScript that would do the following:

1. Search the driver_partners data extension for all rows that have the firstname equal to Shubs.
2. Store the results of the query into an array.
3. Iterate over the array and print the values.

The final AMPScript:

When this AMPScript was sent to the preview endpoint, the response contained the UUID, join date, email address, and first name of every user with the first name of Shubs.

HTTP request to the preview endpoint:

Response (UUID’s and email’s have been obfuscated):

As seen above, the details of many users with the first name Shubs were returned (I’ve redacted the screenshot to only show my test accounts). An attacker could have crafted AMPScript to extract data in the masses or to search up specific people in Uber’s data by first name to extract their UUID and email address.

This bug was found on the November 13th 2017. It was fixed by November 15th, and paid out on December 28th.

As a part of HackerOne’s Hack the World event, we were awarded a bonus of $20,000 for being the “most impactful report” during the event period. This made the total payout for this bug $23,000.

Thanks Uber and HackerOne! It was a pleasant experience working with Uber’s security team regarding this issue.

If you’re interested in a demo of Assetnote’s Continuous Security Platform for your organization, please request one here.

‍