A bug in Uber could have been used by users to ride for free anywhere where the service is available, a researcher has discovered.
Discovered by Anand Prakash from Bangalore, India, the issue could have been abused by attackers to take unlimited free rides from their Uber account. In fact, the researcher took free rides in both the United States and India to demonstrate the vulnerability, but only after the Uber team agreed to this, he says.
The issue was found to be related to the payment method that users are required to specify when creating an account on Uber.com. Such an account is required to be able to use the service, and users can either pay with cash when the ride is completed, or can have the cost automatically charged to their credit/debit card.
The researcher discovered that if an invalid payment method is specified, one could ride Uber for free. The bug, he explains, resides in a POST request to dial.uber.com. To reproduce the vulnerability, one would simply need to input an invalid value for “payment_method_id” in said request:
{“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,
“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}
Prakash reported the vulnerability to Uber via the company’s bug bounty program on HackerOne, which offers rewards between $100 and $10,000 for bugs in several dozen Uber properties. The issue was apparently discovered in August 2016, and Uber was able to fix it the same day the researcher disclosed it. The company awarded the researcher $5,000 for this finding.
In addition to making information about the issue public, the researcher also published a video that shows how the vulnerability can be abused.
A member of the HackerOne community since 2013, Prakash is actively hunting bugs in other services as well, including Twitter, Souq.com, Yahoo!, and Slack. The researcher is ranked 29 on HackerOne, but ranks 14 in Uber’s bug bounty program (and is placed third in Twitter’s).
