# Privacy Fail: Uber Protocol Sends Driver Pax Actual Mobile and Vice Versa



## Undermensch (Oct 21, 2015)

Oh wow!

I noticed this by accident yesterday when a rider was sending me iMessages not SMS messages through the relay number. I posted another thread asking if anyone had seen this before.

I first tested this by installing the Windows 10 app and requesting a ride from both another driver and myself.

Click "..." on the bottom right after the ride is created
Choose Message Driver
For the other driver, I saw a phone number that was not mine
For myself, I saw my driver phone number (not the same as my rider account)
Neither of these numbers was the usual rider relay number (and I don't see a technical reason why it couldn't just display the relay number instead)
Screenshot of my number being displayed is below. I've blacked out the number but left the area code of 732. For my area the current relay number is area code 201.
I then used Fiddler and tested two scenarios:

Capturing Windows 10 Rider App Traffic Only
When a Ride is created, the Uber protocol message sent to the rider contains the actual phone number of the driver
If the user selects "Message Driver", they are shown this actual phone number of the driver instead of the relay number
Relevant request path: /rt/riders/{guid}/status
Relevant JSON response snippet: 
{"trip":{"id":"{guid}","uuid":"{guid}","pickupLocation":{"type":"other","uuid":"{guid}","id":"","address":"","formattedAddress":"","addressComponents":[],"nickname":"","latitude":{lat},"longitude":{lon},"language":"en","title":"","subtitle":""},"paymentProfileUUID":"{guid}","useCredits":false,"sourceTag":"","extraPaymentData":{"paymentType":"default"},"vehicleViewId":{id},"canSplitFare":true,"canShareETA":true,"surgeMultiplier":1,"requestedTime":{time},"dispatchPercent":{some_weird_number},"driver":{"uuid":"{guid}","name":"{driver_name}","mobile":"*{actual_driver_phone_number}*","rating":{driver rating},"pictureUrl":"{driver_picture_url_on_cloudfront}","status":"Accepted","partnerCompany":"n/a","displayCompany":false,"mobileCountryIso2":"US","mobileDigits":"{actual_driver_phone_number_without_formatting}","flowType":"P2P","location":{"latitude":{lat},"longitude":{lon}},"isAccessibilityTripViewEnabled":false,"isCallButtonEnabled":true},"vehicle":{"uuid":"{guid}","year":{year},"exteriorColor":"{color}","interiorColor":"{color}","licensePlate":"{plate}","licensePlateCountryId":1,"licensePlateState":"{state}","pictureImages":[{"width":0,"height":0,"url":"{car_picture_url}"}], [...]

Proxying Driver App iPhone Traffic Through Fiddler Proxy with/Trusted Root Certificate
When a Ride is accepted, the Uber protocol message sent to the driver contains the actual phone number of the rider
Relevant request path: /rt/drivers/{guid}/schedule
Relevant JSON response snippet: 
driver":{"status":"dispatched","inFifo":false},"notifications":[],"acceptWindow":null,"entities":{"{guid}":{"title":"{actual_name}","firstName":"{actual_name}","lastName":"","rating":{rider_rating},"type":"Rider","thirdPartyIdentities":{},"uuid":"{guid}","id":"{guid}","mobile":"*{actual_rider_phone_number}*"}}}


This is not great. Riders and drivers who want to creep on people have been able to do this either by just using the Windows 10 app or by proxying their traffic through Fiddler. A lot of people have their Facebook profile searchable by their phone number. That makes for a pretty big privacy violation.


----------



## Dodge Uber (Jan 30, 2016)

This has been happening in Vegas since Thursday, about a third of my customers who text or call me show up with there real phone number.


----------



## LV-Reni (Oct 31, 2015)

Dodge Uber said:


> This has been happening in Vegas since Thursday, about a third of my customers who text or call me show up with there real phone number.


Drove all weekend and didn't happen once to me.

I did have 2 PAX that I was unable to reach, recorded message said PAX was unavailable.


----------



## Dodge Uber (Jan 30, 2016)

LV-Reni said:


> Drove all weekend and didn't happen once to me.
> 
> I did have 2 PAX that I was unable to reach, recorded message said PAX was unavailable.


Yeah they fixed it sometime friday night/ Saturday morning. All day Thursday and Friday though I would text the passenger airport pick up instructions using the uber number and about every half the time get replies from real numbers


----------



## WCSGuy (Mar 19, 2016)

This proves once again that no good can come from Windows.


----------



## Undermensch (Oct 21, 2015)

Dodge Uber said:


> Yeah they fixed it sometime friday night/ Saturday morning. All day Thursday and Friday though I would text the passenger airport pick up instructions using the uber number and about every half the time get replies from real numbers


Interesting. I'm going to have to re-run the test just to make sure they are still sending the real number in the protocol. I suspect that they are still doing that because that number wasn't getting shown to me, it was just there if I wanted to dig to find it.


----------

