This Indian researcher earned Rs. 4.6L for detecting Uber's bug
Founder of a cyber security firm and an ethical hacker by profession, Anand Prakash was paid about Rs. 4.6 lakh reward by global ride-hailing giant Uber for giving information about a bug in the app in 2019. Prakash discovered the bug in 2017 that allowed users to take free rides for life. Recently, Prakash revealed in a LinkedIn post how he detected that bug.
Prakash discovered the bug through a routine check-up
While the free rides triggered by the bug would have made things easier for customers, the company would have been at a huge loss. In his long post, Prakash revealed that he came across the bug in the Uber app while trying to conduct a routine checkup on the application as it seemed an interesting case study for him.
Users booked a ride and used an invalid payment method
Since Uber had over 131 million users, Prakash was curious to know what vulnerabilities might be there in the app that would interest other hackers as well. He found out that users were able to take several free trips in India and the US. They booked a ride and used an invalid payment method and the ride eventually turned free for them.
Prakash alerted Uber and the bug was fixed immediately
"I even made a video to show proof-of-concept to show that all I had to do was specify an invalid payment method, expressed in a simple string of characters like "abc" or "xyz," and not be billed for the ride," read Prakash's LinkedIn post. Prakash further revealed that he alerted Uber about this and the company fixed it immediately, preventing potential future risks.
Brands must adopt proactive security for vulnerability discovery: Prakash
While Prakash expressed satisfaction for helping the bug get fixed, he also warned against such issues that pose complications for brands like revenue loss. He suggested that brands must adopt proactive security for vulnerability discovery. They should test their applications manually since most of the tools would miss this. He added that consistent security assessments are required by engaging with an external hackers' community.
Prakash understands how hackers think and operate
Prakash also said that brands should have more checks on CI/CD to detect issues early on. He revealed that being an ethical hacker, he understands how hackers think and operate. This offers him an outlook on solving security code issues. "We play devil's advocates all the time and so they're able to safeguard corporates and customers the way they do," he wrote further.