NASDAQ-listed ride-hailing giant Uber has recently fixed a hacking bug found by Indian cybersecurity researcher Anand Prakash and paid him a bounty of $6,500. Prakash told Inc42 that the bug allowed hackers to log into anyone’s Uber account.
After receiving permission from Uber to disclose the bug under the responsible disclosure policy, Prakash explained that the bug was an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account, including those of partners and Uber Eats users. The bug supplied user UUID in the API request and use the leaked token in the response to hijack accounts.
What Happened Exactly?
Prakash explained that his team was able to enumerate other Uber users’ UUID by supplying their phone number or email address in another API request. APIs send information from Uber to app developers, typically to ensure that other apps, like Google Maps, work with Uber.
The cybersecurity researcher also told us that this was because authorisation was missing on an endpoint, which resulted in access token leak of Uber mobile apps of other users by just supplying the user id. The solution was authorising the request, he added.
The bug was reported to Uber on April 19, following which it was triaged on April 25 and fixed on April 26. Working at App Secure, Prakash requested for public disclosure in June and the bug report was then disclosed by Uber on September 9.
A spokesperson for Uber told Inc42, “The bug was quickly fixed through Uber’s bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform.”
Increasing Security Concerns
In August, Chennai-based security researcher Laxman Muthiyah found a bug in the Facebook-owned Instagram, which allowed anyone to hack the popular photo-sharing social networking service. The revelation came barely a month after reporting a similar flaw in Instagram.
In July 2019, Michel Rijnders, an online recruiter from the Netherlands, discovered a security loophole that allowed users to post job openings on a company’s official LinkedIn page without any permission, link or association. The postings would then show up on the company’s “jobs” page alongside other vacancies posted by the company itself.
In May 2019, reports surfaced that the user database of Truecaller is being sold on the dark web. The alleged leaked database included names, phone numbers and email addresses of some Truecaller users, which the poster claimed to have acquired through a data breach.