How does being rude with personal attacks help your case at all? (On a purely emotional level, it even makes me want to side with Uber for this)
> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ (https://hackerone.com/reports/293359#activity-2203160)
Are you familiar with the freelancers' concept of "fuck you, pay me"?
I guess, that's how the first part works. There are things you can try, and there are other things. Messing with freelance pen testers is clearly one of latter.
Given the nature of the game I'd say that's a mild response. On a scale of 0 to 10 that would rate a 3 or so. If there is one group I'd really avoid pissing off it would be pentesters.
The freelancers „fuck you, pay me“ is based on very clear contracts and respectful communication, even when things go bad. This is not what’s happening here AFAICS.
The minimum payout is subject to various conditions — for example, not being a duplicate. The author did not meet those conditions, and resorted to personal attacks instead of keeping things professional.
Uber has many, many problems as a company, but on this matter I can't say they're in the wrong.
Clearly doesn't help his case, but it's not really material to whether they should pay out or not. Why didn't they disclose the one that most everyone here agrees was an obviously-qualified-for-payout vulnerability?
This seems unnecessarily callous. The writer was incredibly insulting to a person in a public forum, but that's ok because "well they worked for Uber"?
I don't see this discussion as about whether a corporate PR team is allowed to issue a response. It's about the author childishly lashing out at an individual because he didn't agree with their decision.
Irrelevant. If he found these bugs, even if he’s been a dick about it then he still found a bunch of vulnerabilities that Uber was exposed to. Pay the man, it’s a few thousand dollars as opposed to a major exploit!
But that's my point. Of course he deserved a payout if he reported a previously unknown vulnerability. What I'm saying is that he (appears to have) behaved in such toxic way (sow) that someone denied something he deserved (reap). All parties in this are squishy humans with emotions.
No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.
These are low severity reports. The first two require difficult prerequisites for an attacker to exploit, and the last one was not proven to be a security flaw.
#293358: it's not ideal that the certificate isn't pinned, but to exploit this an attacker needs to either install their own root certificate on the victim's device, somehow obtain a private key for a certificate already installed, or have a certificate authority misissue a certificate to them for an Uber domain used by the app.
#293363: an attacker still needs to acquire the victim's X-Uber-Token somehow for this to be useful. It's also somewhat mitigated by the token being invalidated when the victim changes their password.
#293359: as pointed out by Uber, no weaknesses in the token generation algorithm were actually demonstrated, and brute forcing the 2^128 keyspace is infeasible.
Also, the rudeness he displayed was petty and unhelpful:
> given the fact that at least one of your system architects were apparently high when they designed and implemented your bearer token assignment process
> Not completely unexpected though, given the caliber of talent utilized by Uber such as the “security” group that you hail from. You would do well in government security consulting, for sure.
> Oh my God. Are you seriously the Program Manager for Uber's Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting? LULZ
All in all, rather a poor result for this vulnerability researcher.
Word (by default) puts shapes in a static/relative position line with text and makes it hard to move shapes around without changing the text wrapping setting for individual shapes.
Excel (by default) puts shapes in a absolute position that can be freely moved around and repositioned.
PowerPoint does the same thing with shapes but there isn't a grid to draw on top on.
"Huh. Excel only goes to 16,384 columns." Said my office-mate many years ago in grad school, when he was putting all of his data in one giant spreadsheet.
It also once had a row limit. I believe it was 32k, but its been a while. I remember having to program my perl reporting tool to add a new sheet each time.
I've noticed something similar playing Mini Metro last month.
I was running a Windows 7 VM on an OS X 10.9.5 host with Virtualbox 4.2.28 using my mid 2013 Macbook Air (Intel HD Graphics 5000 1024 MB). Instead of blurring the game for the weekly upgrade menu, it showed the center of my host desktop wallpaper, upside-down and flipped (other than that, there was distortion whatsoever). It really creeped me out.
https://hackerone.com/reports/293358
https://hackerone.com/reports/293363
https://hackerone.com/reports/293359