Indian hacker finds a loophole in Uber app that can get you free rides for a lifetime

Anand Prakash, a Bengaluru based ethical hacker found a major security loophole in the uber app, which allows anyone to get free ride a lifetime . Yes, never pay for your uber rides, ever!  Cool, right.

He revealed a video that shows how anyone could have used the loophole within the Uber app to gain free rides forever. He mentions in his blog that the San Francisco based online transportation network company, which has around 528 cities worldwide in its portfolio, has a major security flaw. Users can create an account on their portal and start riding, after completion of their ride users can pay either by credit or debit card or by cash. However, when he specified an invalid payment method for example:  abc, xyz etc, the Uber app allowed him to ride for free.

©Twitter

For demonstrating the bug, he received permission from Uber and took free rides in United States and India and he wasn’t charged a penny. While the bug was immediately fixed by Uber, Prakash disclosed the bug in his blog, only after he received approval from the company to do so.

“Attackers could have misused this by taking unlimited free rides from their Uber account,” Anand wrote in his blog post. He reported the issue through Uber’s bug bounty program and also received cash prize from Uber.

“Uber’s bug bounty programme works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” said an Uber spokesperson.

He has posted the following details in his blog:

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1

Host: dial.uber.com

{“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}

 

Steps to reproduce:

1) Replayed the above request with random characters as payment_method_id.

2) Ride was free.

The hack may not be as simple as one thinks and cannot be easily replicated by any Tom, Dick or Harry  since you will need some sort of prior knowledge about scripting and coding.

The bug has now been fixed by Uber, saving the company from incurring huge losses if someone would have exploited the flaw and it went unnoticed.

This is not the first such achievement of this 24-year-old Vellore Institute of Technology alumnus . The white hat hacker has also been rewarded by companies like Facebook, Twitter, Adobe  and Google among others. He has earlier received a cash prize of $15000 from Facebook for finding a bug in the Facebook’s password system.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: