bug-bounty432
google350
xss348
microsoft279
facebook245
apple171
exploit158
rce153
malware95
account-takeover94
cve87
csrf82
writeup78
bragging-post78
browser76
privilege-escalation66
react59
authentication-bypass57
cloudflare54
dos53
ssrf51
docker51
node49
aws47
access-control47
smart-contract45
phishing45
oauth45
ethereum43
defi42
supply-chain42
sql-injection41
web341
lfi37
idor34
smart-contract-vulnerability32
clickjacking31
web-application31
wordpress30
race-condition30
reverse-engineering30
info-disclosure29
vulnerability-disclosure29
cloud28
information-disclosure28
burp-suite28
solidity27
web-security27
cors26
responsible-disclosure26
0
8/10
Uber's SSO system was vulnerable to authentication bypass through a combination of subdomain takeover (dangling CloudFront CNAME on saostatic.uber.com) and session cookie theft via shared cookies across *.uber.com subdomains. An attacker could relay CSRF tokens and steal the _csid session cookie from authenticated users, then impersonate them across all Uber subdomains by injecting the stolen cookie into their own login flow.
subdomain-takeover
authentication-bypass
sso-bypass
session-cookie-theft
csrf-bypass
cloudfront
dns-cname
shared-cookies
bug-bounty
Uber
Amazon CloudFront
saostatic.uber.com
auth.uber.com
Arne Swinnen
Frans Rosén
Jack Whitton