Anand Prakash, a Bengaluru based ethical hacker found a major security loophole in the uber app, which allows anyone to get free ride a lifetime . Yes, never pay for your uber rides, ever! Cool, right.
He revealed a video that shows how anyone could have used the loophole within the Uber app to gain free rides forever. He mentions in his blog that the San Francisco based online transportation network company, which has around 528 cities worldwide in its portfolio, has a major security flaw. Users can create an account on their portal and start riding, after completion of their ride users can pay either by credit or debit card or by cash. However, when he specified an invalid payment method for example: abc, xyz etc, the Uber app allowed him to ride for free.
For demonstrating the bug, he received permission from Uber and took free rides in United States and India and he wasn’t charged a penny. While the bug was immediately fixed by Uber, Prakash disclosed the bug in his blog, only after he received approval from the company to do so.
“Attackers could have misused this by taking unlimited free rides from their Uber account,” Anand wrote in his blog post. He reported the issue through Uber’s bug bounty program and also received cash prize from Uber.
“Uber’s bug bounty programme works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” said an Uber spokesperson.
He has posted the following details in his blog:
POST /api/dial/v2/requests HTTP/1.1
Steps to reproduce:
1) Replayed the above request with random characters as payment_method_id.
2) Ride was free.
The hack may not be as simple as one thinks and cannot be easily replicated by any Tom, Dick or Harry since you will need some sort of prior knowledge about scripting and coding.
The bug has now been fixed by Uber, saving the company from incurring huge losses if someone would have exploited the flaw and it went unnoticed.
This is not the first such achievement of this 24-year-old Vellore Institute of Technology alumnus . The white hat hacker has also been rewarded by companies like Facebook, Twitter, Adobe and Google among others. He has earlier received a cash prize of $15000 from Facebook for finding a bug in the Facebook’s password system.