Indian researcher takes away $6,500 bounty for discovering Uber hacking bug

The security bug would have allowed attackers to log into anyone’s Uber account and take over


Uber fixed a serious security bug recently that was discovered by an Indian cybersecurity researcher named Anand Prakash. The ride-hailing and ride-sharing service paid out a bounty of $6,500 to Anand for discovering the bug.

Indian researcher takes away ,500 bounty for discovering Uber hacking bug

Uber's logo is displayed on a mobile phone. Image: Reuters.

As reported by Inc42, the hacking bug would have allowed hackers to take over anyone’s Uber account. This included the accounts of partners and Uber Eats users as well. Under the responsible disclosure policy, Anand was given permission by Uber to share the details of the bug.

The vulnerability was present in the API request where Anand’s team was able to enumerate other Uber accounts with either the user’s email address or phone number. APIs are used to authenticate two services so that one works using the data from one. For example, Uber will send an API request using access tokens to Google Maps to work with the Uber app. The authorisation wasn’t present on one endpoint that led to a leaked access token. This could have been used to gain control over any account.

According to a statement from Uber to Inc42, this bug was fixed quickly through the company’s bug bounty program. It also said that over $2 million was paid to more than 600 researchers around the world, including Indian researchers.

The Great Diwali Discount!
Unlock 75% more savings this festive season. Get Moneycontrol Pro for a year for Rs 289 only.
Coupon code: DIWALI. Offer valid till 10th November, 2019 .