Now if I was a researcher and I stumbled across something like this, well I would be tempted very badly. Free travel for life isn’t something to be let go of lightly. Security Researcher Anand Prakash however, was able to exercise control and report his find to Uber.
Prakash first discovered the bug in August and notified Uber. He then received permission to test it in both India and the US (by getting free rides, how else?) and the anomaly worked in both the countries. He then reported the bug through Uber’s bug bounty program. The company issued a fix for the bug on the same day and rewarded Prakash with a $5,000 sum.
As far as I can make out, Prakash intercepted the request and managed to change the payment method in the code to a random string. This enabled him to bypass having to pay at all.
Here is the code for payment method before tampering:
Here is the same code after Prakash modified the last line slightly and changed it to a random string of alphabets:
And voilà! You can now ride like a king and get off without having to pay. I am not certain but I assume that Uber was the one actually losing money here, since the driver would generally make a fuss if he was not paid.
Commenting on the development, Uber said:
Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report.
After all, $5,000 is a small price to pay for a bug of this sort. Imagine if it had spread? I can just imagine people going crazy, hiring cabs for every 100 yards.
You can check out the vulnerability in action right below or visit Anand Prakash’s blog to know more about the topic:
Prakash is a regular bug hunter and is ranked 14th in Uber’s program. He also makes contributions to other tech companies like Facebook.