News

Researcher Finds Bug That Allowed Free Uber Rides

Bug bounty programs can be a lucrative income source for white-hat hackers and it was so for security researcher Anand Prakash who discovered a huge flaw in the Uber’s system. The flaw would essentially let people abusing it book rides for which they never have to pay.

The bug was discovered by Anand Prakash all the way back in August where he received permission from Uber to test it in the U.S. as well as India. He was able to successfully exploit the bug in both locations and get free rides with Uber.

Prakash reported the issue through the proper channels and used Uber’s bug bounty program. Bug bounty programs are common these days as hackers are rewarded for doing good rather than selling the exploit to the highest bidder on the black market. Hackers can make $100 to $10,000 at Uber depending on the severity of the bug and whether it impacts other users. Uber fixed the bug the same day Prakash reported it and paid him $5,000, but Prakash waited until this week to publicly discuss the bug.

The bug occurred when specifying a method of payment. Prakash showed in a proof-of-concept video that he easily could intercept the communication and specify an invalid payment method with a simple random string.

“Attackers could have misused this by taking unlimited free rides from their Uber account,” Anand Prakash explained in a blog post.

“Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” an Uber spokesperson said.

It is easy to see why companies run these sort of bug bounty programs. $5,000 is a small price to pay considering how much money Uber could have lost with operations in 528 cities worldwide. That is if Prakash wasn’t a good guy and sold his information to the highest bidder instead of reporting it.

Bohs Hansen

Disqus Comments Loading...

Recent Posts

Phil Spencer Is Against Expansions That Are “Manipulative” and Cut From Base Games

Phil Spencer has spoken out against what he calls "manipulative expansions"—additional content derived from material…

18 hours ago

Razer Launches USB 4 Dock for Gaming and Productivity

Razer has introduced the USB 4 Dock, a high-performance accessory designed to combine ultra-fast data…

21 hours ago

RTX 50 Will Seize the Whole Market Starting in December, Says GPU Cooling Supplier

A major supplier of GPU cooling components has indicated that we could see the arrival…

21 hours ago

MSI MEG X870E GODLIKE Motherboard Hits Stores for $1,099

MSI first unveiled its top-tier AM5 motherboard, the MEG X870E GODLIKE, in August this year.…

22 hours ago

Anker SOLIX C1000 Portable Power Station

80% UltraFast Recharging in 43 Minutes: Be ready for adventure in 43 minutes (100% in…

1 day ago

ASUS TUF Gaming FX707VI 17.3″ Full HD 144Hz Gaming Laptop

Powered by Intel's 13th Generation i7-13620H 10 Core Processor Dedicated NVIDIA GeForce RTX 4070 (140…

1 day ago