A race condition vulnerability exists in Uber Eats' order processing and payment confirmation management, particularly when platform features that extend the transaction lifecycle are utilized (e.g., complex promotions, orders from multiple establishments). By exploiting a payment method susceptible to a race condition (where funds can be withdrawn after initial authorization but before final capture) during this extended time window, it's possible for Uber Eats to confirm and process an order based on temporary payment approval. Subsequently, the actual payment fails when the payment processor attempts to capture the funds, but by then, Uber Eats may have already incurred costs or even completed the delivery, resulting in financial loss.

Disclaimer:

Reproducing or attempting to exploit the techniques described in this article is illegal and strictly prohibited unless done in a controlled, authorized environment. The responsibility for any misuse lies solely with the individual; I do not endorse or take responsibility for unauthorized actions.

ㅤ

CVSS 3.1 ( 8.6 High )

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Reproduction Steps

1. Prerequisites

• An Uber Eats account.
• A payment method configured in the Uber Eats account that is susceptible to a race condition, allowing funds to be withdrawn or blocked from the source account after initial authorization but before final capture by the merchant (e.g., the previously discussed scenario with Revolut, or a similar setup where the user has near-instantaneous control over fund availability in the account linked to the payment method).

2. Initiate an Uber Eats Order

Begin the process of creating an order through the Uber Eats application or website.

3. Extend Uber Eats Processing Window (Key Step)

• Apply one or more available promotions, especially those that might require additional validation or are known to add a slight delay to the checkout process.
• AND/OR: Utilize the Uber Eats feature to add items from a "nearby establishment" to the current order, or construct an order involving multiple stops, if these actions appear to prolong the time Uber Eats takes to finalize order logic before final payment confirmation. The goal is to create an observable delay in the Uber Eats system before the payment is definitively captured.

4. Proceed to Payment

Select the vulnerable payment method identified in the prerequisites.

5. Trigger the Race Condition on the Payment Method

• At the moment Uber Eats is communicating with the payment processor and while its own system is managing the complexities introduced in Step 3 (this is the extended time window being exploited):
• Simultaneously and as quickly as possible, execute the action to withdraw or transfer funds from the source account associated with the selected payment method (e.g., transfer the balance to another account, to an internal neobank vault, or any action that makes the funds unavailable for capture by Uber Eats). This action must be performed *after* Uber Eats has received initial payment authorization but *before* it attempts final capture.

6. Observe Uber Eats Behavior

• It is expected to observe that Uber Eats confirms the order, and it progresses to statuses like "Preparing your order" or similar. This indicates that Uber Eats has acted based on the provisional payment authorization.

7. Observe Payment Failure (Subsequently)

• Minutes later, or according to the payment system's processing times, it should be possible to confirm that the final payment transaction has failed on the payment method's side (e.g., insufficient funds) or that the payment processor informs Uber Eats of the inability to capture the funds.
• By this time, the order might already be in an advanced stage of preparation, have been dispatched, or even delivered.

8. Expected PoC Outcome

Goods or services are obtained from Uber Eats without a successful final payment being completed, due to Uber Eats processing the order based on temporary payment validation during an opportunity window created or extended by its own platform features and exploited via a race condition in the payment method.
ㅤ

9. Security Impact

The primary security impact for Uber Eats includes:

1. Direct Financial Loss: Uber Eats incurs the cost of goods (which it must pay to the restaurant) and delivery costs (paid to couriers) for orders that are ultimately not collected.
2. Platform Abuse: Allows malicious users to obtain services (food, deliveries) for free, which could lead to systematic abuse if the vulnerability became widely known.
3. Operational Inefficiency: Creates additional workload for Uber Eats' support and finance teams, who would have to manage failed transactions, reconciliations, and potential claims from restaurants or couriers.
4. Impact on Business Partners: Could create tension with restaurants and couriers if payment issues become frequent or if Uber Eats attempts to pass on some of these losses to them.
5. Platform Integrity: Although not direct data theft, it affects the integrity of the platform's transaction cycle, as processes (deliveries) are completed that should not have proceeded without a firm payment guarantee.