Business Technology

Saturday 29 April 2017

Hacker reveals simple loophole to get free Uber rides for life

The computer programmer explained it was “easy” to exploit the security loophole
The computer programmer explained it was “easy” to exploit the security loophole

Mark Molloy

A hacker has discovered a genius way to get free Uber rides by uncovering a security bug for the popular taxi service.

Anand Prakash, a product security engineer, has highlighted a simple trick he used to get free Uber rides anywhere in the world.

The computer programmer, who runs a blog on web application security, explained it was “easy” to exploit the security loophole.

“I was testing Uber application for security loopholes,” he explained. “This is how I was able to figure it out. It was easy to do.

“Attackers could have misused this by taking unlimited free rides from their Uber account.”

When ordering an Uber, Prakash was able to avoid paying for the ride by exploiting a bug when specifying his method of payment [Uber users can pay using cash in some cities].

“Users can create their account on Uber.com and can start riding. When a ride is completed, a user can either pay cash or charge it to their credit/debit card,” he said.

“But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free.”

He identified the issue, which has now been resolved, in August last year and was rewarded by Uber through its bug bounty hunters programme.

Read more: 'Ashamed' Uber boss Travis Kalanick filmed in heated row with driver over fares

“To demonstrate the bug, I got permission from the Uber team and took free rides in United States and India and I wasn't charged from any of my payment methods,” he added.

The Uber security programme currently employs 200 researchers who search for bugs which could be exploited by hackers, with the company paying out up to $10,000 for critical issues identified.

Prakash said he makes a living out of finding security bugs and has so far been awarded $13,500 from Uber in bounty rewards.

He previously revealed how to take over any Facebook account and change its password and is currently one of the top hackers signed up to the social media site’s White Hat bug-finding programme.

“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve,” Joe Sullivan, Uber’s Chief Security Officer, said last year.

“This bug bounty programme will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”

It's been a bad week for Uber after its co-founder Travis Kalanick was filmed in a heated row with a driver over fares.

Telegraph.co.uk

Promoted articles

Also in Business