How to book an Uber ride for free (ZDNet)

screen-shot-2017-03-06-at-09-49-20.jpg


Screenshot via YouTube

Uber has experienced better months and now a vulnerability discovered in the firm’s ride-hailing app could have given users at large the chance to book cars without paying a cent.

Security researcher Anand Prakash revealed the bug’s presence in a blog post, noting that the security flaw could have allowed attackers to exploit the weakness to take unlimited free rides from their Uber account.

The vulnerability itself is rather simple. When you sign up for an Uber account and download the app to find and book nearby rides, you must specify a payment method or pay in cash after you have reached your destination.

However, by creating an account and specifying an invalid payment method, Prakash was able to take free rides in both the US and India.

To exploit the problem, the code below was used and the payment method ID was changed to random characters, such as “xyz.”

Vulnerable request:

POST / api/dial/v2/requests HTTP/1.1 Host: dial.uber.com

{ “start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

” product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}

The issue was reported through Uber’s bug bounty program, hosted by HackerOne. The company has so far shelled out $899,595 in bug bounties, with the average payment being $750 — $1000.

Prakash is a well-known security researcher that has managed to earn thousands of dollars by finding and disclosing security flaws in software offered by Uber, Yahoo, Twitter, and Souq, among others. According to TechCrunch, this bug report netted him a reward of $5,000.

Uber has now patched the security flaw.

“Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” an Uber spokesperson said.

The company has suffered recently. Problems began to surface after a social media campaign, #DeleteUber launched following the firm’s behavior during the ‘Muslim ban’ strike at JFK, and the campaign returned after ex-engineer Susan Fowler claimed Uber’s corporate culture is rife with sexism.

Following the PR storm, CEO Travis Kalanick was caught on video having an argument with one of his drivers, and now, the company’s secret “Greyball” program to stay away from the cops has come to light.

Source: SANS ISC SecNewsFeed @ March 6, 2017 at 04:01AM

0
Share