Thanks to an Indian Cyber Security researcher, Anand Prakash, Uber was able to fix a hacking bug in their app. This bug would have allowed hackers to take control of potentially anyone’s Uber account.
For saving Uber from this potential threat Prakash was rewarded handsomely. Uber paid him a bounty of $6,500 (Rs 4.62 Lakhs).
The bug was reported to Uber on April 19, following which it was triaged on April 25 and fixed on April 26.
After receiving permission from Uber to disclose the bug under the responsible disclosure policy, Prakash explained that the bug was an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account, including those of partners and Uber Eats users. The bug supplied user UUID in the API request and use the leaked token in the response to hijack accounts.
Prakash explained that his team was able to enumerate other Uber users’ UUID by supplying their phone number or email address in another API request. APIs send information from Uber to app developers, typically to ensure that other apps, like Google Maps, work with Uber.
Prakash also said that this was because authorization was missing on an endpoint, which resulted in access token leak of Uber mobile apps of other users by just supplying the user id. The solution was authorizing the request, he added.
The vulnerability was classified at an 8.5/10, which, looking at the amount of bounty paid, could have been worrisome.
In an age when everything is available online, data security concerns have increased in the last couple of years. Brands need to be more careful and regressive in order to assure data security for their clients. If fallen into wrong hands, data theft can do severe damage to the users as well as the brands themselves.
