bug-bounty451
google354
xss338
microsoft283
facebook246
apple171
exploit163
rce160
malware102
account-takeover95
cve91
bragging-post86
csrf83
browser77
writeup75
privilege-escalation68
react60
authentication-bypass57
cloudflare54
dos53
node52
docker51
ssrf51
phishing50
aws48
access-control47
oauth45
smart-contract45
supply-chain44
ethereum43
defi42
web342
sql-injection41
lfi37
idor35
vulnerability-disclosure32
smart-contract-vulnerability32
clickjacking31
burp-suite31
info-disclosure31
race-condition31
web-application31
reverse-engineering31
wordpress30
input-validation30
web-security29
information-disclosure29
cloud29
reflected-xss29
solidity27
0
8/10
Uber's SSO system was vulnerable to authentication bypass through a combination of subdomain takeover (dangling CloudFront CNAME on saostatic.uber.com) and session cookie theft via shared cookies across *.uber.com subdomains. An attacker could relay CSRF tokens and steal the _csid session cookie from authenticated users, then impersonate them across all Uber subdomains by injecting the stolen cookie into their own login flow.
subdomain-takeover
authentication-bypass
sso-bypass
session-cookie-theft
csrf-bypass
cloudfront
dns-cname
shared-cookies
bug-bounty
Uber
Amazon CloudFront
saostatic.uber.com
auth.uber.com
Arne Swinnen
Frans Rosén
Jack Whitton