Researcher Finds Bug That Allowed Free Uber Rides

Bug bounty programs can be a lucrative income source for white-hat hackers and it was so for security researcher Anand Prakash who discovered a huge flaw in the Uber’s system. The flaw would essentially let people abusing it book rides for which they never have to pay.

The bug was discovered by Anand Prakash all the way back in August where he received permission from Uber to test it in the U.S. as well as India. He was able to successfully exploit the bug in both locations and get free rides with Uber.

Prakash reported the issue through the proper channels and used Uber’s bug bounty program. Bug bounty programs are common these days as hackers are rewarded for doing good rather than selling the exploit to the highest bidder on the black market. Hackers can make $100 to $10,000 at Uber depending on the severity of the bug and whether it impacts other users. Uber fixed the bug the same day Prakash reported it and paid him $5,000, but Prakash waited until this week to publicly discuss the bug.

The bug occurred when specifying a method of payment. Prakash showed in a proof-of-concept video that he easily could intercept the communication and specify an invalid payment method with a simple random string.

“Attackers could have misused this by taking unlimited free rides from their Uber account,” Anand Prakash explained in a blog post.

“Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” an Uber spokesperson said.

It is easy to see why companies run these sort of bug bounty programs. $5,000 is a small price to pay considering how much money Uber could have lost with operations in 528 cities worldwide. That is if Prakash wasn’t a good guy and sold his information to the highest bidder instead of reporting it.