Uber was vulnerable to subdomain takeover on saostatic.uber.com via Amazon CloudFront CDN. Ubers recently deployed Single Sign-On (SSO) system at auth.uber.com was found vulnerable to session cookie theft by any compromised *.ubercom subdomains. Uber resolved the sub domain takeover vulnerability and granted a $5,000 bounty for the two combined issues. Uber did have some countermeasures in place to prevent this, but reported with increased impact for increased impact.”]
Source: https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/