Hijack the JS File of Uber's Website
03 Dec 2018 - zhchbin
Again, sorry for my poor English first of all, and I will try my best to describe this bug bounty report throughly.
- Almost all of Uber’s websites are loading JS file: https://tags.tiqcdn.com/utag/uber/main/prod/utag.js
- I found that the content of utag.js is updating from
/data/utui/data/accounts/uber/templates/main/utag.jswhen deploying in my.tealiumiq.com.
- my.tealiumiq.com has a path traversal issue, which allow hacker to change
utag.jsof other account, including Uber’s.
- This bug had beed fixed 8 months ago. Bug Bounty: $6000.
I like asking myself some questions when hunting for bug bounty. Looking around about
https://tags.tiqcdn.com/utag/uber/main/prod/utag.js, I found Uber’s websites were using a third party service offered by Tealium. I asked myself: can I modify the content of
I registered two account and began my journey. WARNING: DO NOT TEST IN PRODUCTION USING TARGET ACCOUNT.
profile=main%00to get the path in server
As you can see, the
utag.loader template path is
- Change the requst body to update the revision.loader
As you can see
201804081230 is appearing at the path. After testing, I found that I can insert
../ into this path, which means that I can change utag.js of any account, including Uber’s.