Posted on September 13, 2019 at 3:04 AM
Uber, the renowned transportation network company known for letting people find a can in seconds through a mobile interface, recently fixed a significant security flaw that would have let cybercriminals order rides using clients’ accounts via their mobile numbers and email addresses.
Hackers also could have used the vulnerability to order food at the customers’ expense and to know the real-time location of an actual Uber client. The exploit was unveiled and reported to Uber by an online security specialist named Anand Prakesh, and it was exploitable back in April. It was recently fixed.
The researcher that discovered the flaw supplied a mobile number or even an email address linked to an account in Uber’s API (Application Programmer Interface) and gained access to the login credentials, or access token of a client.
Recognized By Uber’s Bug Bounty Program
With the intention of making sure that their applications can work with the known transportation network company, the APIs send data from Uber to the developers of the apps. Google Maps is a perfect example of the situation.
The company itself, once Prakesh brought the vulnerability to its attention, recognized the researcher’s contributions and, under the terms of its bug bounty program, gave Prakesh a prize of $6,500, or £5,300. The bug was classified as an 8.5 in the 1 to 10 scale, with ten being the most severe. The firm pays a maximum of $50,000 for community contributions of the kind.
Several high-profile companies in the United States and at a global scale are increasingly adopting similar bug bounty programs since it represents a potential win-win scenario that sees researchers rewarded for their talent, skill, and work; and the firm in question solves a potentially threatening situation. Google is a prime example.
Fortunately for users and for the reputation of the company itself, Uber moved quickly after the potential vulnerability was brought to its attention and fixed it just a couple of days after the notification.
Although the company wasn’t completely sure, a spokesperson associated to Uber stated that the firm didn’t think the flaw was exploited by criminals working on the digital platform, claiming that Uber implements automated protection that can quickly spot questionable behavior or activity.
Automated Protection Measures
The firm’s automated protection measures can detect whether a customer signs in from an unusual device, for example, and it will issue an alert in the form of a confirmation or permission to reset the login information. Everything is made with online security as the primary factor.
According to data from Uber, the big company’s bounty program has issued, up to this date, more than $2 million as a token of appreciation for those researchers and independent investigators that continually work to bring flaws and vulnerabilities to its attention. Over 600 people have benefited from the program in several locations around the globe.
The approach for hijacking login credentials and accounts was originally used by a cybercriminal associated with an attack towards social media networking giant Facebook, back in October of last year.
Stealing Access Tokens: Similar Cases
The cybercriminal implemented the same strategy: he stole “access tokens” and just like that, more than 30 million accounts in Facebook were breached. To this date, the author or association behind that attack remains unidentified, and as a result, a probe was opened by the FBI last year.
Uber is one of the world’s most widely known companies in its field, with operations in nearly 800 locations around the planet. The firm is worth approximately $57 billion, according to recent data.
Uber’s bounty program becomes a necessity because as it usually happens with big companies that make their living online, the existing threats are often bigger and more powerful than the firm’s cybersecurity staff. Offering rewards to researchers that can spot potentially dangerous vulnerabilities remains an excellent idea.