CSO Alerts: Quick Take on Uber’s Bug Bounty Program

Uber’s security programme, which is the Bug Bounty Program, invites people to identify any vulnerability in their security systems.

A product security engineer Anand Prakash, discovered a security bug in popular cab-hailing service, which allowed him to take free Uber rides, tested in the U.S. as well as India.

Uber’s Chief Security Officer, Joe Sullivan said last year in a statement:

“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve. This bug bounty programme will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”

The computer programmer, who runs a blog on web application security, explained it was “easy” to exploit the security loophole.

“Attackers could have misused this by taking unlimited free rides from their Uber account.”

When ordering an Uber, Prakash was able to avoid paying for the ride by exploiting a bug when specifying his method of payment [Uber users can pay using cash in some cities].

“Users can create their account on Uber.com and can start riding. When a ride is completed, a user can either pay cash or charge it to their credit/debit card. But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free.”

He identified the issue, which has now been resolved, in August last year and was rewarded by Uber through its bug bounty hunters programme.

“To demonstrate the bug, I got permission from the Uber team and took free rides in United States and India and I wasn’t charged from any of my payment methods,” he added.

According to The Telegraph, Prakash makes a living out of finding security bugs and has so far been awarded $13,500 (£11,000) from Uber in bounty rewards. Before this stunt, he revealed taking over Facebook accounts and changing its password, and is known to be one of the top hackers signed up for social media site’s White Hat bug-finding programme.

Source: The Telegraph
Image Source: Uber