Skip to content

Latest commit

 

History

History
240 lines (239 loc) · 31.1 KB

TOPUBER.md

File metadata and controls

240 lines (239 loc) · 31.1 KB
Raw

Top reports from Uber program at HackerOne:

  1. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 621 upvotes, $0
  2. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 398 upvotes, $7500
  3. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 371 upvotes, $4000
  4. RCE via npm misconfig -- installing internal libraries from the public registry to Uber - 315 upvotes, $9000
  5. Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) to Uber - 293 upvotes, $10000
  6. [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 281 upvotes, $39999
  7. XSS At "pages.et.uber.com" to Uber - 220 upvotes, $0
  8. Stored XSS in developer.uber.com to Uber - 213 upvotes, $7500
  9. Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. to Uber - 196 upvotes, $4500
  10. Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com to Uber - 166 upvotes, $0
  11. Reading Emails in Uber Subdomains to Uber - 139 upvotes, $0
  12. Open Redirect on central.uber.com allows for account takeover to Uber - 130 upvotes, $8000
  13. [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter to Uber - 118 upvotes, $3000
  14. Client secret, server tokens for developer applications returned by internal API to Uber - 117 upvotes, $0
  15. Reflected XSS on https://www.uber.com to Uber - 111 upvotes, $0
  16. ubernycmarketplace.com is vulnerable to the Heartbleed Bug to Uber - 109 upvotes, $1500
  17. Stored XSS on any page in most Uber domains to Uber - 103 upvotes, $6000
  18. IDOR leads to leak analytics of any restaurant to Uber - 103 upvotes, $2000
  19. uber.com may RCE by Flask Jinja2 Template Injection to Uber - 96 upvotes, $10000
  20. IDOR leads to See analytics of Loyalty Program in any restaurant. to Uber - 93 upvotes, $1500
  21. password reset token leaking allowed for ATO of an Uber account to Uber - 88 upvotes, $10000
  22. private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events to Uber - 87 upvotes, $750
  23. SAML Authentication Bypass on uchat.uberinternal.com to Uber - 82 upvotes, $8500
  24. Possibility to get private email using UUID to Uber - 82 upvotes, $5000
  25. [CRITICAL] -- Complete Account Takeover to Uber - 81 upvotes, $8000
  26. SQL Injection on sctrack.email.uber.com.cn to Uber - 80 upvotes, $4000
  27. Subdomain takeover at signup.uber.com to Uber - 78 upvotes, $0
  28. Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance to Uber - 74 upvotes, $1500
  29. Pre-auth Remote Code Execution on multiple Uber SSL VPN servers to Uber - 73 upvotes, $2000
  30. Changing paymentProfileUuid when booking a trip allows free rides to Uber - 72 upvotes, $5000
  31. OneLogin authentication bypass on WordPress sites via XMLRPC to Uber - 71 upvotes, $7000
  32. Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files to Uber - 67 upvotes, $500
  33. Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront to Uber - 66 upvotes, $1000
  34. Lack of payment type validation in dial.uber.com allows for free rides to Uber - 65 upvotes, $0
  35. xss in https://www.uber.com to Uber - 64 upvotes, $0
  36. Hack The World 2017 Top 2 Bonus to Uber - 61 upvotes, $5000
  37. Authorization issue in Google G Suite allows DoS through HTTP redirect to Uber - 61 upvotes, $0
  38. SQL injection in 3rd party software Anomali to Uber - 57 upvotes, $2500
  39. Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
  40. Multiple vulnerabilities in a WordPress plugin at drive.uber.com to Uber - 54 upvotes, $0
  41. Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII to Uber - 54 upvotes, $0
  42. [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 53 upvotes, $0
  43. Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 53 upvotes, $0
  44. OneLogin authentication bypass on WordPress sites to Uber - 49 upvotes, $10000
  45. Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains to Uber - 49 upvotes, $6000
  46. Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account to Uber - 48 upvotes, $5750
  47. Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 46 upvotes, $3000
  48. Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser to Uber - 46 upvotes, $0
  49. Avoiding Surge Pricing to Uber - 45 upvotes, $3000
  50. [uchat.uberinternals.com] Mattermost doesn't check Origin in Websockets, which leads to the Critical Inforamation Leakage. to Uber - 42 upvotes, $2000
  51. SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners to Uber - 41 upvotes, $1500
  52. Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com to Uber - 40 upvotes, $0
  53. Reflected XSS on multiple uberinternal.com domains to Uber - 38 upvotes, $2000
  54. Reflected XSS in lert.uber.com to Uber - 38 upvotes, $0
  55. SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/ to Uber - 37 upvotes, $3000
  56. Reflected XSS on https://www.uber.com to Uber - 37 upvotes, $1000
  57. CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com to Uber - 36 upvotes, $500
  58. Attacker could setup reminder remotely using brute force to Uber - 36 upvotes, $0
  59. Change the rating of any trip, therefore change the average driver rating to Uber - 35 upvotes, $1500
  60. Stealing users password (Limited Scenario) to Uber - 35 upvotes, $0
  61. phone number exposure for riders/drivers given email/uuid to Uber - 35 upvotes, $0
  62. Possibility to brute force invite codes in riders.uber.com to Uber - 34 upvotes, $5000
  63. Stored XSS on developer.uber.com via admin account compromise to Uber - 33 upvotes, $5000
  64. Arbitrary File Reading on Uber SSL VPN to Uber - 32 upvotes, $6500
  65. Full Path and internal information disclosure+ SQLNet.log file disclose internal network information to Uber - 32 upvotes, $0
  66. Reflected XSS on Partners Subdomain to Uber - 31 upvotes, $2000
  67. DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ] to Uber - 31 upvotes, $1420
  68. Reflected XSS on developer.uber.com via Angular template injection to Uber - 30 upvotes, $3000
  69. Reflected XSS POST method at partners.uber.com to Uber - 30 upvotes, $3000
  70. Site-wide CSRF on eats.uber.com to Uber - 29 upvotes, $6000
  71. API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. to Uber - 29 upvotes, $750
  72. Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password to Uber - 28 upvotes, $1000
  73. pam_ussh does not properly validate the SSH certificate authority to Uber - 28 upvotes, $1000
  74. 4 Subdomains Takeover on 2 domains ( muberscolombia.com & ubereats.pl ) to Uber - 28 upvotes, $500
  75. HTML injection via insecure parameter [https://www.ubercarshare.com/] to Uber - 27 upvotes, $650
  76. Subdomain takeover on mta1a1.spmail.uber.com to Uber - 27 upvotes, $0
  77. Exposed█████████in apk file - devbuilds.uber.com to Uber - 27 upvotes, $0
  78. Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees to Uber - 27 upvotes, $0
  79. Improper Access Control on Onelogin in multi-layered architecture to Uber - 26 upvotes, $500
  80. [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth to Uber - 26 upvotes, $500
  81. SQLI on desafio5estrelas.com to Uber - 25 upvotes, $2500
  82. duplicate hsts headers lead to firefox ignoring hsts on business.uber.com to Uber - 25 upvotes, $500
  83. Possible to View Driver Waybill via Driver UUID to Uber - 24 upvotes, $3000
  84. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 24 upvotes, $500
  85. Full read SSRF in flyte-poc-us-east4.uberinternal.com to Uber - 23 upvotes, $2000
  86. Get organization info base on uuid to Uber - 22 upvotes, $3000
  87. Possibility to enumerate and bruteforce promotion codes in Uber iOS App to Uber - 22 upvotes, $3000
  88. pam-ussh may be tricked into using another logged in user's ssh-agent to Uber - 22 upvotes, $1500
  89. Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com to Uber - 21 upvotes, $2250
  90. CBC "cut and paste" attack may cause Open Redirect(even XSS) to Uber - 20 upvotes, $500
  91. XSS @ love.uber.com to Uber - 19 upvotes, $3000
  92. Cleartext password exposure allows access to the desafio5estrelas.com admin panel to Uber - 19 upvotes, $500
  93. IDOR in activateFuelCard id allows bulk lookup of driver uuids to Uber - 18 upvotes, $0
  94. Uber Test Report 20220301 to Uber - 18 upvotes, $0
  95. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 17 upvotes, $5000
  96. XSS on partners.uber.com due to no user input sanitisation to Uber - 17 upvotes, $1000
  97. Multiple Vulnerabilities (Including SQLi) in love.uber.com to Uber - 17 upvotes, $250
  98. deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” to Uber - 17 upvotes, $0
  99. Privacy policy contains hardcoded link using unencrypted HTTP to Uber - 17 upvotes, $0
  100. Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ to Uber - 16 upvotes, $500
  101. Information regarding trips from other users to Uber - 15 upvotes, $5000
  102. IDOR on partners.uber.com allows for a driver to override administrator documents to Uber - 15 upvotes, $500
  103. Missing authorization checks leading to the exposure of ubernihao.com administrator accounts to Uber - 14 upvotes, $3000
  104. xss vulnerability in http://ubermovement.com/community/daniel to Uber - 14 upvotes, $0
  105. Uber employees are sharing information on productforums.google.com to Uber - 14 upvotes, $0
  106. Golang expvar Information Disclosure to Uber - 14 upvotes, $0
  107. Chained vulnerabilities create DOS attack against users on desafio5estrelas.com to Uber - 13 upvotes, $1000
  108. SMS/Call spamming due to truncated phone number to Uber - 13 upvotes, $500
  109. Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites to Uber - 13 upvotes, $0
  110. Server version disclosure to Uber - 12 upvotes, $0
  111. Cookie Bombing cause DOS - businesses.uber.com to Uber - 12 upvotes, $0
  112. Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers to Uber - 11 upvotes, $3000
  113. XSS in ubermovement.com via editable Google Sheets to Uber - 11 upvotes, $2000
  114. Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF to Uber - 11 upvotes, $500
  115. Bulk UUID enumeration via invite codes to Uber - 11 upvotes, $0
  116. No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts to Uber - 11 upvotes, $0
  117. Exposed Golang Pprof debugger at https://cn-geo1.uber.com/ to Uber - 11 upvotes, $0
  118. Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP to Uber - 10 upvotes, $750
  119. Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information to Uber - 10 upvotes, $500
  120. Session not expired When logout [partners.uber.com] to Uber - 10 upvotes, $0
  121. Delay of arrears notification allows Riders to take multiple rides without paying to Uber - 10 upvotes, $0
  122. Open redirect on rush.uber.com, business.uber.com, and help.uber.com to Uber - 10 upvotes, $0
  123. Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII to Uber - 10 upvotes, $0
  124. Open Redirect in m.uber.com to Uber - 9 upvotes, $500
  125. Open Redirect in riders.uber.com to Uber - 9 upvotes, $500
  126. Full path disclosure on track.uber.com to Uber - 9 upvotes, $100
  127. Bruteforce INVITE codes easy way to Uber - 9 upvotes, $0
  128. Reflected XSS on Uber.com careers to Uber - 8 upvotes, $3000
  129. Bypassing Uber Partner's 3 Cancel Limit to Uber - 8 upvotes, $2000
  130. [IODR] Get business trip via organization id to Uber - 8 upvotes, $2000
  131. Open Redirection on Uber.com to Uber - 8 upvotes, $500
  132. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 7 upvotes, $3000
  133. Listing of email addresses of whitelisted business users visible at business.uber.com to Uber - 7 upvotes, $250
  134. Can add employee in business.uber.com without add payment method to Uber - 7 upvotes, $0
  135. The Microsoft Store Uber App Does Not Implement Certificate Pinning to Uber - 7 upvotes, $0
  136. Information Leak - GitHub - Endpoint Configuration Details to Uber - 7 upvotes, $0
  137. Physical Access to Mobile App Allows Local Attribute Updates without Authentication to Uber - 7 upvotes, $0
  138. [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB to Uber - 7 upvotes, $0
  139. newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf to Uber - 6 upvotes, $1000
  140. ability to retrieve a user's phone-number/email for a given inviteCode to Uber - 6 upvotes, $1000
  141. SMS URL verification link does not expire on phone number change and lacks rate limiting to Uber - 6 upvotes, $500
  142. Stored Cross Site Scripting [SELF] in partners.uber.com to Uber - 6 upvotes, $0
  143. Users can falsely declare their own Uber account info on the monthly billing application to Uber - 6 upvotes, $0
  144. It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without to Uber - 6 upvotes, $0
  145. stack trace exposed on https://receipts.uber.com/ to Uber - 6 upvotes, $0
  146. Google Maps API Key Leakage to Uber - 6 upvotes, $0
  147. Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) to Uber - 5 upvotes, $3000
  148. Reflected XSS via Livefyre Media Wall in newsroom.uber.com to Uber - 5 upvotes, $2000
  149. Stored XSS in drive.uber.com WordPress admin panel to Uber - 5 upvotes, $2000
  150. Email Address Enumeration to Uber - 5 upvotes, $0
  151. Requested and received edit access to Google form to Uber - 5 upvotes, $0
  152. reopen #128853 (Information disclosure at lite.uber.com) to Uber - 5 upvotes, $0
  153. Content injection on 404 error page at faspex.uber.com to Uber - 5 upvotes, $0
  154. muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 5 upvotes, $0
  155. lert.uber.com: Few default folders/files of AURA Framework are accessible to Uber - 5 upvotes, $0
  156. [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools to Uber - 5 upvotes, $0
  157. CSV Injection in business.uber.com to Uber - 4 upvotes, $1000
  158. Mass Assignment Vulnerability in partners.uber.com to Uber - 4 upvotes, $1000
  159. Thumbor misconfiguration at blogapi.uber.com can lead to DoS to Uber - 4 upvotes, $500
  160. Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com) to Uber - 4 upvotes, $0
  161. Disclosure of ways to the site root to Uber - 4 upvotes, $0
  162. Use Partner/Driver App Without Being Activated to Uber - 4 upvotes, $0
  163. Uber is Flooding my Mobile with SMS Daily like a cron JOB to Uber - 4 upvotes, $0
  164. XSS in uber oauth to Uber - 4 upvotes, $0
  165. XSS via password recovering to Uber - 4 upvotes, $0
  166. XSS in people.uber.com to Uber - 4 upvotes, $0
  167. Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication to Uber - 4 upvotes, $0
  168. XSS in getrush.uber.com to Uber - 3 upvotes, $3000
  169. SQLi in love.uber.com to Uber - 3 upvotes, $3000
  170. Dom Based Xss to Uber - 3 upvotes, $3000
  171. Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains to Uber - 3 upvotes, $1000
  172. Brute-Forcing invite codes in partners.uber.com to Uber - 3 upvotes, $750
  173. LIsting of http://archive.uber.com/pypi/simple/ to Uber - 3 upvotes, $0
  174. CSRF on eng.uber.com may lead to server-side compromise to Uber - 3 upvotes, $0
  175. CRLF Injection in developer.uber.com to Uber - 3 upvotes, $0
  176. Self-XSS Vulnerability on Password Reset Form to Uber - 3 upvotes, $0
  177. Unsubscribe any user from receiving email to Uber - 3 upvotes, $0
  178. Phone Number Enumeration to Uber - 3 upvotes, $0
  179. Newsroom.uber HTML form without CSRF protection to Uber - 3 upvotes, $0
  180. Information Disclosure on lite.uber.com to Uber - 3 upvotes, $0
  181. Header Injection to Uber - 3 upvotes, $0
  182. Text Only Content Spoofing on ubermovement.com Community Page to Uber - 3 upvotes, $0
  183. Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously to Uber - 3 upvotes, $0
  184. text injection in get.uber.com/check-otp to Uber - 3 upvotes, $0
  185. The Microsoft Store Uber App Does Not Implement Server-side Token Revocation to Uber - 3 upvotes, $0
  186. The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting to Uber - 3 upvotes, $0
  187. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  188. SSL-protected Reflected XSS in m.uber.com to Uber - 3 upvotes, $0
  189. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  190. udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  191. lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
  192. XSS on partners.uber.com to Uber - 2 upvotes, $500
  193. Drivers can change profile picture to Uber - 2 upvotes, $500
  194. Estimation of a Lower Bound on Number of Uber Drivers via Enumeration to Uber - 2 upvotes, $500
  195. It is possible to re-rate a driver after a very long time to Uber - 2 upvotes, $0
  196. Pixel flood attack in https://riders.uber.com/profile to Uber - 2 upvotes, $0
  197. Enumerating userIDs with phone numbers to Uber - 2 upvotes, $0
  198. Active Email Hyperlink Sent on riders.uber.com to Uber - 2 upvotes, $0
  199. Disclosure of ip addresses in local network of uber to Uber - 2 upvotes, $0
  200. Information disclosure at lite.uber.com to Uber - 2 upvotes, $0
  201. faspex.uber.com uses an invalid SSL certificate to Uber - 2 upvotes, $0
  202. Server version disclosure: team.uberinternal.com to Uber - 2 upvotes, $0
  203. Email Enumeration Vulnerability to Uber - 2 upvotes, $0
  204. Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate fast-rating Endpoint to Uber - 2 upvotes, $0
  205. Missing authentication on Notification setting . to Uber - 2 upvotes, $0
  206. Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE to Uber - 2 upvotes, $0
  207. XSS In archive.uber.com Due to Mime Sniffing in IE to Uber - 1 upvotes, $750
  208. Easy spam with USE My PHONE Feature to Uber - 1 upvotes, $250
  209. Issue with Password reset functionality to Uber - 1 upvotes, $100
  210. Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ to Uber - 1 upvotes, $0
  211. HTML Escaping Error in the 404 Page on developer.uber.com/docs/ to Uber - 1 upvotes, $0
  212. Cross-site Scripting (XSS) to Uber - 1 upvotes, $0
  213. XSS on love.uber.com to Uber - 1 upvotes, $0
  214. Session retention is present which reveals the customer info to Uber - 1 upvotes, $0
  215. CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to backup.uber.com to Uber - 1 upvotes, $0
  216. DOM based XSS on to Uber - 1 upvotes, $0
  217. Password Reset Does Not Confirm the Existence of an Email Address to Uber - 1 upvotes, $0
  218. Create account in uber without signup form to Uber - 1 upvotes, $0
  219. Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
  220. Uber password reset link EMAIL FLOOD to Uber - 1 upvotes, $0
  221. Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page to Uber - 1 upvotes, $0
  222. Changing Driver Passwords With Only an Authenticated Session (no password, no email) to Uber - 1 upvotes, $0
  223. SMS Flood with Update Profile to Uber - 1 upvotes, $0
  224. Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers to Uber - 1 upvotes, $0
  225. Session Impersonation in riders.uber.com to Uber - 1 upvotes, $0
  226. developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes to Uber - 1 upvotes, $0
  227. Unauthorized file (invoice) download to Uber - 1 upvotes, $0
  228. Authentication Issue for easter egg on bonjour.uber.com to Uber - 1 upvotes, $0
  229. Command Injection, Information to Uber - 1 upvotes, $0
  230. Self-XSS in Partners Profile to Uber - 1 upvotes, $0
  231. Error Message on 404 page to Uber - 1 upvotes, $0
  232. Clickjacking in love.uber.com to Uber - 1 upvotes, $0
  233. Stored self-XSS at m.uber.com to Uber - 1 upvotes, $0
  234. User credentials are not strong on vault.uber.com to Uber - 1 upvotes, $0
  235. Self-XSS on partners.uber.com to Uber - 1 upvotes, $0
  236. Brute Force Amplification Attack to Uber - 1 upvotes, $0
  237. User Enumeration and Information Disclosure to Uber - 1 upvotes, $0
  238. Design Issue at riders.uber.com/profile to Uber - 1 upvotes, $0