Uber has to be one of the most preferred modes of transport for people in cities around the world. The convenience and service of the ride-sharing app has definitely got people hooked.
And recently, an Indian cyber-security researcher by the name of Anand Prakash found a major vulnerability in India's favourite ride-sharing app that gave hackers complete access to the app, along with Uber's food delivery app -- UberEats.
Reuters/ET
The vulnerability was found in the API request where hackers could gain access to the account by simply taking over user's email address or phone number. With either phone number or email ID, it could generate a unique user ID, also referred to as an 'access token' with the help of Uber's API or Application Programmer Interface.?
APIs are usually responsible for sending information from Uber to app developers, in order for apps to work with Uber, like the way Google Maps works with Uber to allow users to grab a cab from your location.
Prakash was rewarded $6,500 (approximately Rs 4,60,000) by Uber to bring them this vulnerability as a part of its bug bounty programme. As per Uber, such a vulnerability is classified at an 8.5/10 which falls in the 'severe category.?
Uber is know to pay up to $50,000 for disclosures. The bug was reported to Uber on April 19, after which Uber started working on a solution on April 25 and completely fixed the vulnerability April 26.
Reuters
According to Uber's spokesperson, this vulnerability hasn't been exploited by hackers yet. He further stated that Uber has safety measures in place for unauthorised logins where it notifies the user and asks him/her to either confirm that it was a legitimate login or reset the credentials from there.
The spokesperson also stated that Uber's bug bounty programme has paid over $2 million USD to over 600 researchers around the world, which includes many researchers from India.