New Uber bug discovered by Indian leads to $6500 reward, issue fixed

Anand Prakash, founder of AppSecure recently bagged $6500 for discovering an exploit in the Uber application (app) from the company itself. This development set netizens – especially Twitterati on fire who demanded that the reward money be higher. Prakash reported this vulnerability to Uber on 19 April, and the company disclosed this report on 9 September. This exploit, now addressed as fixed, potentially allowed hackers to seize control of Uber accounts of other users, including being able to hail rides from the host’s location.  

The exploit

Detailing this vulnerability in an official blog post (titled "How I could have hacked your Ubder account?"), Prakash states that accounts of related Uber services such as Uber Eats – along with that of Uber cabs, were vulnerable with the new exploit (now fixed). This was done by exploiting a vulnerable Uber Application Programming Interface (API). This API reportedly yielded to the exploit and in turn, leaked the mobile apps access token resulting in the information of Uber users becoming apparently vulnerable.  

Twitterati hail Prakash

“Access token allowed me to take over victim’s account completely. We were able to see rides, request rides, see payment information, etc. of our test accounts using the leaked token,” stated Prakash in his official blog post. This got Twitterati particularly interested, check out eye-catchy tweets supporting, Prakash, below: 

In summary, the above bug has been identified and fixed. This has undoubtedly led to stricter cybersecurity solutions being implemented by Uber to make the experience of its patrons safe. But, there is always scope for improvisation. Ride-hailing apps better wake up to the above reality