bug-bounty497
google318
xss300
microsoft262
facebook230
rce194
exploit166
apple155
malware144
cve131
account-takeover113
bragging-post110
privilege-escalation88
csrf86
authentication-bypass71
stored-xss66
writeup62
phishing62
browser59
reflected-xss59
dos59
supply-chain57
access-control52
reverse-engineering50
input-validation49
web-security49
react49
cloudflare48
defi48
ssrf48
smart-contract47
cross-site-scripting46
open-source46
oauth44
ethereum44
sql-injection43
lfi43
aws41
web340
node39
docker38
web-application38
race-condition37
ctf37
api-security36
burp-suite36
ai-agents35
pentest35
info-disclosure35
buffer-overflow33
0
9/10
Uber's SSO system based on shared session cookies across *.uber.com subdomains was vulnerable to authentication bypass via a combination of subdomain takeover on saostatic.uber.com (dangling CloudFront CNAME) and session cookie theft through CSRF token relay attacks. An attacker could compromise any *.uber.com subdomain to steal the '_csid' shared session cookie and relay CSRF tokens to impersonate authenticated users across all Uber subdomains.
subdomain-takeover
authentication-bypass
sso
session-cookie-theft
cloudfront
csrf
cookie-security
shared-session-cookies
dangling-dns
identity-provider
bug-bounty
Uber
Amazon CloudFront
saostatic.uber.com
auth.uber.com
Arne Swinnen
Frans Rosén
Jack Whitton