US-based car-hailing giant Uber has been having a couple of rough months embroiled in controversies. Whether it was its CEO Travis Kalanick being caught on dashcam arguing with his own Uber driver over the company’s treatment of drivers, prompting a mea culpa from him or the #DeleteUber campaign trending worldwide for its CEO being part of part of the Trump advisory council, all of this has made sure that the giant remains in the news for all the wrong reasons. And now comes the news that a hacker has successfully discovered a way to get free Uber rides for life.
The hacker of the hour, Anand Prakash, who is a product security engineer by profession, discovered that the popular car-hailing service has a bug in its app which can allow one to avail free Uber rides for the rest of their lives anywhere in the world where the giant is operational.
Prakash recently unveiled the security loophole in the Uber app to the world in a blog he runs on web application security.
According to Prakash, he discovered the big Uber blunder when he sat on a mission to test the Uber application for security loopholes. All he did was order an Uber and then avoid paying for the ride by exploiting a bug when specifying his method of payment in the app.
Hailing a cab on Uber is particularly easy. One just needs to have an account on the app and start riding. When a ride is completed, a user is presented with an option of paying for it either by using cash or charge it to their credit/debit card.
Specifying the payment mode is where Prakash caught its big fish Uber. He realised that when one enters an invalid payment method for example: abc, xyz etc, they could ride an Uber for free anytime of the day, anywhere in the world.
Describing the task as an extremely easy one, Prakash highlighted how attackers could have misused this loophole by taking unlimited free rides from their Uber account.
The security loophole was discovered and solved in August last year and Prakash was duly rewarded by Uber for his work through the giant’s bug bounty hunters programme.
According to Prakash, he got permission from the Uber team to demonstrate the bug and took a number of free rides in India and the US.
Prakash makes a living in the world by finding security bugs. So far, he has earned a whopping $13,500 from Uber alone in bounty rewards.
Prakash is the same hacker who was in the news a couple of years ago for discovering how anyone can take over anyone’s Facebook account and change its password without the owner’s knowledge and permission. He is considered as a top hacker in the hacker world and is signed up with Facebook’s prestigious White Hat bug-finding programme.
In an interview last year, Joe Sullivan, Uber’s Chief Security Officer had said, sometimes even with a team of highly-qualified and well trained security experts, you need to be constantly looking on ways to improve your service. He further added, “This bug bounty programme will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”
Uber security programme currently boosts of having a team of 200 researchers who are constantly on a lookout for bugs which could be exploited at the hands of hackers. The company has payed out up to $10,000 for some of the critical bugs identified by private hackers like Prakash at work.