Researcher discovered a wildcard subdomain takeover vulnerability on uber.design by identifying that the domain's wildcard DNS pointed to Heroku's unclaimed infrastructure, allowing registration of arbitrary subdomains (*.uber.design) and potential email spoofing via Google Workspace verification.
A researcher escalated a self-XSS vulnerability on Uber's Partners portal into a cross-user XSS attack by chaining three separate issues: leveraging missing CSRF protection in the OAuth login flow and logout endpoint, combined with CSP manipulation and iframe-based session hijacking to execute arbitrary JavaScript in a victim's context and exfiltrate sensitive data.
A researcher discovered an XSS vulnerability on payment-providers.uber.com by using subdomain enumeration (Sublist3r), directory brute-forcing (dirb), and the KNOXSS tool, earning a $500 bounty that was later revoked for being on a non-browser-facing endpoint.
Researcher discovered a stored XSS vulnerability in Uber's invitation link feature by injecting a payload into the 'v' parameter, then bypassed the strict Content Security Policy by leveraging the whitelisted *.uber.com domain to load a malicious Marketo callback endpoint, resulting in a $2,000 bounty.