How I Accessed Employee Settings on Uber (opens in new tab)

(medium.com)

92 pointsnathanmock11y ago6 comments

6 comments

nathanmockOP11y ago

Author here: I was able to access employee settings for Uber Technologies, not just employee driver settings.

franklinho11y ago

Very cool. With the same approach were you able to manipulate prices or surge/no surge?

Wouldn't be very useful in real life, but if they have a bug bounty program you could report it.

jhgg11y ago

I don't think this is the case. Setting this "isAdmin" flag simply caused the UI to be rendered. But I'm pretty sure that require any access to the remote API calls will be rejected.

jordanthoms11y ago

This is nowhere near as bad as it seems at first - the impact looks limited to changing things within their own app, it's basically just the debug menu. It's not actually giving them access to any additional information or privileges.

seanieb11y ago

Theres no date on this story.

jonursenbach11y ago

Bottom of the page. Feb 27th.

j / k navigate · click thread line to collapse