This report attempts to demonstrate that sessions are not invalidated on logout for partners.uber.com. The behavior could not be reproduced and researcher became hostile, claiming we were misleading them. No action was taken on behalf of this report. We pride ourselves in honest, open and respectful interactions with researchers -- this report is the exact opposite of that.

Actions:

View on HackerOne

Reported by hurthearts

Vulnerability Details

Technical details and impact analysis

Hi, Summary ========= partners.uber.com website is not expiring the user's session immediately after logout. when user logout, the session not expired, and still can send request and the server respond response with OKAY __Steps to Reproduce:__ - Log into the website - partners.uber.com - Capture any request. For ex, profile edit page using burp proxy. - Logout from the website. - Replay the request captured in step 2 and notice it displays the proper response. Thanks, tell me if you need video, i will create one !

Report Details

Additional information and metadata

State

Closed

Substate

Not-Applicable