[albinowax_]

Hi, I work at PortSwigger.

> Uber was running some promotional for a free three month license for Burp Proxy

This is flat out wrong - the promotional partnership was done with HackerOne.

> What's weird about it is that I was using Burp Proxy for everything...

Burp Suite is used by tens of thousands of security experts and if we posted vulnerability data back we would get caught in about ten seconds. Also it would be stupid and illegal etc

Could you share the username of this 'Portswigger kid'? As far as I know I'm the only person here that does bug bounty hunting, and I've never received a 25k payout off Uber. So I'm wondering if this person is actually affiliated with PortSwigger at all.

[WUHANCLAN]

Either Uber lied about this guy discovering the flaw so they didn't have to pay me, or Burp Proxy is sending telemetry back to Portswigger with high value vulnerabilities being discovered with the platform. I worked with nobody on this attack, I shared no information with anyone else, and submitted a remote execution vulnerability using HackerOne's supposedly secure triage system.

I wrote it all up on Medium, it got close to 400K reads over the 2018 Christmas holiday with many other stories in a similar vein related to incompetence in their security group. HackerOne is worthless, a scam unless you are full time working for them on bug bounties and already connected with their top ranked researchers.

[WUHANCLAN]

The triage was escalated to Rob Fletcher and Uber's security liaison Lindsey Glovin. You're right, Portswigger was running a promo with HackerOne. After I submitted a couple of different vulnerabilities, they then locked all of my reports and gave the $23,000 bounty award to "shubs (notaffy)"

These were three critical vulnerabilities on the m.uber.com endpoint; I was able to bypass their WAF and XSS_Auditor protections followed by demonstrating reflected SSL'ized XSS under *.uber.com certificate and remote javascript execution capability.

[WUHANCLAN]

Bah there are several closed source plugins for Burp Proxy that are binary only and which constantly relay telemetry data back to Portswigger. I stopped using it for this exact reason, due to Burp Proxy's constant communication back to Portswigger. And the only thing that would need to be relayed back to Portswigger would be high value vulnerabilities that have been discovered.

Which would be trivial to implement as a covert channel in Burp Proxy's update process or any one of another methods of obfuscating and tunneling that data back to Portswigger.