Fouad could exploit this vulnerability to generate promo codes until he found valid ones.
He also found the he could generate promo codes with uber+code_name at will.
As is normally the case, Fouad informed Uber about the brute force vulnerability for them to issue patch.
Surprisingly, Uber did not find the flaw to be interesting enough to be patched.
Uber has fixed the brute force vulnerability in the payment page by applying the rate-limiter.
However, the Promo Codes feature is still vulnerable to brute force attacks.
Anyways, until Uber patches the flaw, potential hackers can enjoy free rides as they come.
source: www.techworm.net
