A hacker from Bangalore, India, has uncovered a security loophole in the famous online transportation network company, Uber, which allows anyone to get free rides for lifetime. Anand Prakash, a product security engineer, said it was easy to exploit the uber loophole to overwrite the app to get free rides around the world.
He has demonstrated the entire process in a video on how anyone could have used the loophole within the Uber app to gain the rides. Anand was apparently rewarded $5000 for his discovery as he reported the issue through Uber’s bug bounty program wherein the hackers get rewarded anywhere between $100 to $10000 for identifying and informing about the security bugs or issues.
According to the engineer, when someone creates an account on Uber and starts the ride, they can ride and make payments either through credit, debit, cash or wallet, once the trip is over. But, when he specified an invalid mode of payment, the app allowed him to take a free ride. He has used his method on the ride-sharing app in different countries and found that it worked everywhere.
To demonstrate the bug, Anand got permission from the Uber team and took free rides in United States and India and he wasn’t charged from any of my payment methods.
Uber Security Programme
Currently, the Uber security programme employs 200 researchers who are given the task of finding vulnerabilities that could be exploited by hackers. The bug has already been fixed by the people at Uber, saving them from a loss.
Uber believes that this bug bounty programme will help ensure that their code is as secure as possible. And their unique loyalty scheme will encourage the security community to become experts when it comes to Uber.
Anand makes a living out of finding security bugs. He has until now been awarded $13,500 (£11,000) from Uber in bounty rewards. Earlier, he had reported bugs related to Facebook that can enable anyone to set password for your account.
Anand also runs a blog on web application security which you can follow here.