Just when one thinks there are no more changes to be done to an application apart from the regular old upgrades and minor patches to the later versions, somewhere an Indian hacker finds a gaping loophole in the app.
In an interesting set of events, Anand Prakash, a Bengaluru-based Product security engineer explained a simple trick to get free Uber rides that can be used anywhere in the world. Apparently, Anand Prakash was granted permission by the San Fransisco-based Taxi service as a part of its White Hat Bug finding the program, to look for any security loopholes that could be exploited by hackers to gain access to free rides and cause monetary damage to the company.
Anand Prakash explains “I was testing Uber application for security loopholes,” he explained. “This is how I was able to figure it out. It was easy to do. Attackers could have misused this by taking unlimited free rides from their Uber account.”
The security loophole in question here involved creating an account on the cab service portal and hiring a cab. Upon completion of the ride and when offered to opt to pay via credit or debit card or by cash, he specified an invalid payment method that he cannot pay from but, interestingly Uber App allowed him to ride for free instead to throwing error.
Even though the hack isn’t that easy to replicate by just anyone, with a fair bit of knowledge in scripting and coding one might as well have exploited this particular loophole to avail free rides. Anand won a prize worth USD 13,500 for finding the bug and reporting it to Uber.
Anand Prakash works as an ethical hacker and is a part of the facebook’s White hat bug finding program. Earlier he won a bounty worth USD 15,000 from Facebook for finding a bug that could enable someone to get access to someone else’s account and change its password easily