A hacker and product security engineer Anand Prakash, from Bangalore, found a bug on Uber transportation Network Company’s application.
With this simple trick, he is able to get a free ride from anywhere in the world.
Anand Prakash runs a blog on web application security, said it was “simple” to exploit a bug to overwrite the app to get free Uber car rides around the world.
“I was testing Uber application for security loopholes,” he explained. “This is how I was able to figure it out. It was easy to do.
“Attackers could have misused this by taking unlimited free rides from their Uber account.”
“Users can create their account on Uber.com and can start riding. When a ride is completed, a user can either pay cash or charge it to their credit/debit card,” he says, adding, “But, by specifying an invalid payment method for example:abc, xyz etc, he could ride Uber for free.”
The hacker used his method on the ride-sharing app in different countries and found that it worked everywhere. “To demonstrate the bug, he got permission from the Uber team and took free rides in the United States and India and he wasn’t charged from any of my payment methods.”
Currently, the Uber security programme employs 200 researchers who are given the task of finding vulnerabilities that could be exploited by hackers. The company pays out up to $10,000 (£8,000) for critical issues identified.
“This bug bounty programme will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”
Prakash said he makes a living out of finding security bugs and has until now been awarded $13,500 (£11,000) from Uber in bounty rewards.
This is how he found the bug:
This is not the first time that Prakash has revealed vulnerability. In the past too, he had disclosed how to take over the Facebook account and change its password. He is also currently one of the top hackers signed up to the social media site’s White Hat bug-finding programme. In the meantime, he has found a genius way to get free Domino’s pizzas free for life and he also found a bug on zomato an online restaurant app to get user details for free. All these bugs are fixed by respective applications owners.
