Uber Account Takeover Bug Found by Indian Researcher, Now Fixed

Global ride-hailing giant Uber has recently fixed a hacking bug found by Indian cyber-security researcher Anand Prakash which allowed hackers to log into anyone's Uber account.

Uber has paid Prakash $6,500, i.e. about Rs 4.6 lakh as a reward for giving information about this bug.

Prakash explained that the bug was an account-takeover-vulnerability on Uber that allowed attackers to take over any other user's Uber account, including those of partners and Uber Eats users, Inc42 reported.

As per Prakash's blog, the bug was present in the API request function of the Uber app. Prakash describes "an account takeover vulnerability on Uber which allowed attackers to take over any other user's Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. We were able to enumerate any other Uber's user UUID by supplying their phone number or email address in another API request."

He added that the bug "allowed an attacker to track the victim's location, take rides from their account, etc. by compromising the account using the leaked access token of Uber mobile application. This also permitted takeover of Uber driver, Eats accounts."

According to a statement provided by an Uber spokesperson to Inc42, "The bug was quickly fixed through Uber's bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform.”

Earlier Prakash had removed a bug in Uber, by taking advantage of which anyone could travel for free for a lifetime in an Uber cab.