Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher

Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher

SUMMARY

The bug was an account takeover vulnerability on Uber

The bug was because authorisation was missing on an endpoint

Uber fixed the issue in April

NASDAQ-listed ride-hailing giant Uber has recently fixed a hacking bug found by Indian cybersecurity researcher Anand Prakash and paid him a bounty of $6,500. Prakash told Inc42 that the bug allowed hackers to log into anyone’s Uber account.

After receiving permission from Uber to disclose the bug under the responsible disclosure policy, Prakash explained that the bug was an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account, including those of partners and Uber Eats users. The bug supplied user UUID in the API request and use the leaked token in the response to hijack accounts.

What Happened Exactly?

Prakash explained that his team was able to enumerate other Uber users’ UUID by supplying their phone number or email address in another API request. APIs send information from Uber to app developers, typically to ensure that other apps, like Google Maps, work with Uber.

The cybersecurity researcher also told us that this was because authorisation was missing on an endpoint, which resulted in access token leak of Uber mobile apps of other users by just supplying the user id. The solution was authorising the request, he added.

The bug was reported to Uber on April 19, following which it was triaged on April 25 and fixed on April 26. Working at App Secure, Prakash requested for public disclosure in June and the bug report was then disclosed by Uber on September 9.

A spokesperson for Uber told Inc42, “The bug was quickly fixed through Uber’s bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform.”

Increasing Security Concerns

In the day and age of data security and concerns costing billions to tech giants such as Facebook, the security breach instances haven’t stopped.

In August, Chennai-based security researcher Laxman Muthiyah found a bug in the Facebook-owned Instagram, which allowed anyone to hack the popular photo-sharing social networking service. The revelation came barely a month after reporting a similar flaw in Instagram.

In July 2019, Michel Rijnders, an online recruiter from the Netherlands, discovered a security loophole that allowed users to post job openings on a company’s official LinkedIn page without any permission, link or association. The postings would then show up on the company’s “jobs” page alongside other vacancies posted by the company itself.

In May 2019, reports surfaced that the user database of Truecaller is being sold on the dark web. The alleged leaked database included names, phone numbers and email addresses of some Truecaller users, which the poster claimed to have acquired through a data breach.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher-Inc42 Media
Uber Pays Out $6,500 Bounty For Hacking Bug Discovered By Indian Researcher-Inc42 Media
You’re in Good company