September 13, 2019 at
Uber, the renowned transportation network company known for letting people find a can in seconds through a mobile interface, recently fixed a significant security flaw that would have let cybercriminals order rides using clients’ accounts via their mobile numbers and email addresses.
Hackers also could have used the vulnerability
to order food at the customers’ expense and to know the real-time location of
an actual Uber client. The exploit was unveiled and reported to Uber by an
online security specialist named Anand Prakesh, and it was exploitable back in
April. It was recently fixed.
The researcher that discovered the flaw
supplied a mobile number or even an email address linked to an account in
Uber’s API (Application Programmer Interface) and gained access to the login
credentials, or access token of a client.
Recognized By Uber’s Bug
With the intention of making sure that their applications can work with the known transportation network company, the APIs send data from Uber to the developers of the apps. Google Maps is a perfect example of the situation.
The company itself, once Prakesh brought the
vulnerability to its attention, recognized the researcher’s contributions and,
under the terms of its bug bounty program, gave Prakesh a prize of $6,500, or
£5,300. The bug was classified as an 8.5 in the 1 to 10 scale, with ten being
the most severe. The firm pays a maximum of $50,000 for community contributions
of the kind.
Several high-profile companies in the United States and at a global scale are increasingly adopting similar bug bounty programs since it represents a potential win-win scenario that sees researchers rewarded for their talent, skill, and work; and the firm in question solves a potentially threatening situation. Google is a prime example.
Fortunately for users and for the reputation
of the company itself, Uber moved quickly after the potential vulnerability was
brought to its attention and fixed it just a couple of days after the
Although the company wasn’t completely sure, a
spokesperson associated to Uber stated that the firm didn’t think the flaw was
exploited by criminals working on the digital platform, claiming that Uber
implements automated protection that can quickly spot questionable behavior or
Automated Protection Measures
The firm’s automated protection measures can detect whether a customer signs in from an unusual device, for example, and it will issue an alert in the form of a confirmation or permission to reset the login information. Everything is made with online security as the primary factor.
According to data from Uber, the big company’s
bounty program has issued, up to this date, more than $2 million as a token of
appreciation for those researchers and independent investigators that continually
work to bring flaws and vulnerabilities to its attention. Over 600 people have
benefited from the program in several locations around the globe.
The approach for hijacking login credentials
and accounts was originally used by a cybercriminal associated with an attack
towards social media networking giant Facebook, back in October of last year.
Stealing Access Tokens:
The cybercriminal implemented the same
strategy: he stole “access tokens” and just like that, more than 30
million accounts in Facebook were breached. To this date, the author or
association behind that attack remains unidentified, and as a result, a probe
was opened by the FBI last year.
Uber is one of the world’s most widely known
companies in its field, with operations in nearly 800 locations around the
planet. The firm is worth approximately $57 billion, according to recent data.
Uber’s bounty program becomes a necessity because as it usually happens with big companies that make their living online, the existing threats are often bigger and more powerful than the firm’s cybersecurity staff. Offering rewards to researchers that can spot potentially dangerous vulnerabilities remains an excellent idea.