An Indian cybersecurity researcher Anand Prakash discovered a severe security bug in Uber, the ride-hailing and ride-sharing company. The bug has been fixed by Uber. Uber paid out a bounty of $6,500 to Prakash. The bug allowed hackers to hack anyone’s Uber account including the accounts of partners and Uber Eats users, as reported by Inc42. Prakash was given permission by Uber to share the information about the bug under responsible disclosure policy.
User’s universally unique identifier (UUID) is supplied in the Application Programming Interface (API) request and the response is used by the hackers to seize the account. APIs are used to validate two services so that one works using the data from one. Prakash’s team was able to enumerate other Uber accounts through their phone number or email id.
An Uber spokesperson told TechCrunch, “Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,”.
The vulnerability was present in the Uber’s API request. Prakash’s team was able to enumerate other Uber accounts with either the user’s email address or phone number. The team used APIs to authenticate two services. In other words, Uber will send an API request using access tokens to Google to work with the Uber app.
Prakash said that the bug was because of the absent authorization at the endpoint that led to a leaked access token. This would help the hacker to access any account.
“The bug was quickly fixed through Uber’s bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform.”, an Uber spokesperson told to Inc24.
Earlier Prakash had won $15,000 reward from Facebook for reporting a bug. Recently a Chennai-based security researcher Laxman Muthiyah spotted a hacking bug in Instagram not once, but twice!