Indian researcher discloses Uber bug, bags Rs. 4.6 lakh reward

During a recent analysis of Uber's app, Prakash unearthed a bug that gave him and potentially other threat actors, the ability to take over the Uber account of any user.

He verified the existence of the issue and figured it was risking the security of people using the main Uber app as well as those ordering and delivering food via Uber Eats.

Prakash claimed the bug stemmed from an issue with the API request function of the Uber app.

Typically, API requests are used to ensure one app works with other, like Uber with Google Maps for showing rides on the road.

However, in this case, one of the endpoints in the API request channel wasn't properly secured, which gave away access tokens of Uber users.

After discovering the issue, Prakash, who worked at security firm AppSecure, reported the same to Uber under its responsible disclosure policy.

The company recognized the same in a matter of days and issued a patch for the vulnerability on April 26.

Just recently, it was made public by the ride-hailing giant on Prakash's request.