Indian researcher discloses Uber bug, bags Rs. 4.6 lakh reward
What's the story
An Indian security researcher has bagged a cash reward of $6,500 (approximately Rs. 4.6 lakh) from Uber Technologies Inc. The man, Anand Prakash, had flagged a critical account hacking vulnerability in Uber's service, prompting the ride-hailing giant to issue an immediate patch and pay Prakash under its responsible disclosure bug bounty program. Here's all about the bug that he disclosed.
Issue
Uber accounts found vulnerable to hacking
During a recent analysis of Uber's app, Prakash unearthed a bug that gave him and potentially other threat actors, the ability to take over the Uber account of any user. He verified the existence of the issue and figured it was risking the security of people using the main Uber app as well as those ordering and delivering food via Uber Eats.
Details
API request issue leaked access tokens
Prakash claimed the bug stemmed from an issue with the API request function of the Uber app. Typically, API requests are used to ensure one app works with other, like Uber with Google Maps for showing rides on the road. However, in this case, one of the endpoints in the API request channel wasn't properly secured, which gave away access tokens of Uber users.
Fix
Issue reported to Uber, now fixed
After discovering the issue, Prakash, who worked at security firm AppSecure, reported the same to Uber under its responsible disclosure policy. The company recognized the same in a matter of days and issued a patch for the vulnerability on April 26. Just recently, it was made public by the ride-hailing giant on Prakash's request.
Quote
Uber has paid over $2 million in bug bounty
"The bug was quickly fixed through Uber's bug bounty program, which has paid over $2 million to more than 600 researchers around the world, including top researchers in India," Uber told Inc42, adding they're grateful to Indian researchers who have helped protect the Uber platform.