Uber Account Takeover Vulnerability Discovered by Ethical Hacker

Uber account vulnerability

The bug allowed hackers to score free rides and food on customers’ accounts by using the victim’s email address or phone number. 

Uber confirmed it has fixed a serious bug that was brought to the company’s attention by Indian ethical hacker, Anand Prakash, a Forbes 30 Under 30 honoree and founder of AppSecure.

The account takeover vulnerability enabled attackers to take over any other user’s Uber account and make purchases at the victim’s expense.

Discovered in April, the same bug impacted Uber driver accounts and Uber Eats accounts. The vulnerability could also be exploited to track a customer’s location.

Prakash discovered a hacker could access an account’s unique user ID, or access token, by providing a victim’s phone number or email address to Uber’s Application Programmer Interface (API). The API request would provide the hacker with the user’s universally unique identifier (UUID).

Recommended

“Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address,” he said.

With the mobile apps access token, Prakash said he was able to totally compromise a test account in this way, requesting rides, getting payment information and more. Prakash was awarded a £5,300 bounty by Uber for alerting them to the vulnerability, which was rated “severe” under its bug bounty programme.

After being notified of the flaw the company had patched the bug within days and a spokesman for Uber said that it did not believe the flaw had been exploited by criminals.

“Uber’s bug bounty program has paid over $2m to more than 600 researchers around the world and we’re grateful for their contributions to help protect the Uber platform,” he said.

Last year, Facebook faced a similar problem when 30 million of its users’ accounts were compromised following an access token leak.



Latest News

Uncategorized
16th September 2019

Remains of a Man Missing for 22 Years Found by Google Earth

Fintech News
Digital News
13th September 2019

DIGIT Tech News Roundup: 13th of September 2019

Cybersecurity News
13th September 2019

Over One Billion Google Calendar Users May Be at Risk of Attack