Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Bug Allowed Free Uber Rides

A bug in Uber could have been used by users to ride for free anywhere where the service is available, a researcher has discovered.

A bug in Uber could have been used by users to ride for free anywhere where the service is available, a researcher has discovered.

Discovered by Anand Prakash from Bangalore, India, the issue could have been abused by attackers to take unlimited free rides from their Uber account. In fact, the researcher took free rides in both the United States and India to demonstrate the vulnerability, but only after the Uber team agreed to this, he says.

The issue was found to be related to the payment method that users are required to specify when creating an account on Uber.com. Such an account is required to be able to use the service, and users can either pay with cash when the ride is completed, or can have the cost automatically charged to their credit/debit card.

The researcher discovered that if an invalid payment method is specified, one could ride Uber for free. The bug, he explains, resides in a POST request to dial.uber.com. To reproduce the vulnerability, one would simply need to input an invalid value for “payment_method_id” in said request:

{“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}

Advertisement. Scroll to continue reading.

Prakash reported the vulnerability to Uber via the company’s bug bounty program on HackerOne, which offers rewards between $100 and $10,000 for bugs in several dozen Uber properties. The issue was apparently discovered in August 2016, and Uber was able to fix it the same day the researcher disclosed it. The company awarded the researcher $5,000 for this finding.

In addition to making information about the issue public, the researcher also published a video that shows how the vulnerability can be abused.

A member of the HackerOne community since 2013, Prakash is actively hunting bugs in other services as well, including Twitter, Souq.com, Yahoo!, and Slack. The researcher is ranked 29 on HackerOne, but ranks 14 in Uber’s bug bounty program (and is placed third in Twitter’s).

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.