Uber confirmed it has fixed a serious bug that was brought to the company’s attention by Indian ethical hacker, Anand Prakash, a Forbes 30 Under 30 honoree and founder of AppSecure.
The account takeover vulnerability enabled attackers to take over any other user’s Uber account and make purchases at the victim’s expense.
Discovered in April, the same bug impacted Uber driver accounts and Uber Eats accounts. The vulnerability could also be exploited to track a customer’s location.
Prakash discovered a hacker could access an account’s unique user ID, or access token, by providing a victim’s phone number or email address to Uber’s Application Programmer Interface (API). The API request would provide the hacker with the user’s universally unique identifier (UUID).
- MPs Say Loot Boxes in Games Should be Regulated Under Gambling Laws
- Daring to be Digital: Interrupt19
- Edinburgh Smart Home Security Firm Secures £1.22M Investment
“Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address,” he said.
With the mobile apps access token, Prakash said he was able to totally compromise a test account in this way, requesting rides, getting payment information and more. Prakash was awarded a £5,300 bounty by Uber for alerting them to the vulnerability, which was rated “severe” under its bug bounty programme.
After being notified of the flaw the company had patched the bug within days and a spokesman for Uber said that it did not believe the flaw had been exploited by criminals.
“Uber’s bug bounty program has paid over $2m to more than 600 researchers around the world and we’re grateful for their contributions to help protect the Uber platform,” he said.
Last year, Facebook faced a similar problem when 30 million of its users’ accounts were compromised following an access token leak.