New Uber bug discovered by Indian leads to $6500 reward, issue fixed

Anand Prakash, founder of AppSecure recently bagged $6500 for discovering an exploit in Uber application (app) from company itself. This development set netizens – especially Twitterati on fire who demanded that reward money be higher. Prakash reported this vulnerability to Uber on 19 April, and company disclosed this report on 9 September. This exploit, w dressed as fixed, potentially allowed hackers to seize control of Uber accounts of or users, including being able to hail rides from host’s location.  

exploit

Detailing this vulnerability in an official blog post (titled "How I could have hacked your Ubder account?"), Prakash states that accounts of related Uber services such as Uber Eats – along with that of Uber cabs, were vulnerable with new exploit (w fixed). This was done by exploiting a vulnerable Uber Application Programming Interface (API). This API reportedly yielded to exploit and in turn, leaked mobile apps access token resulting in information of Uber users becoming apparently vulnerable.  

Twitterati hail Prakash

“Access token allowed me to take over victim’s account completely. We were able to see rides, request rides, see payment information, etc. of our test accounts using leaked token,” stated Prakash in his official blog post. This got Twitterati particularly interested, check out eye-catchy tweets supporting, Prakash, below: 

In summary, above bug has been identified and fixed. This has undoubtedly led to stricter cybersecurity solutions being implemented by Uber to make experience of its patrons safe. But, re is always scope for improvisation. Ride-hailing apps better wake up to above reality