Indian security researcher finds bug that allowed unlimited free Uber rides and gets rewarded $5000

Anand Prakash, a Security researcher discovered a bug in Ubers code that allowed anyone who found the problem to bypass payment and hail unlimited free uber rides. It was in August he disclosed the bug and received permission from Uber to get it tested in U.S and India. In both locations, Prakash was able to exploit the bug and availed free rides.

Prakash reported this issue trough Uber's Big Bounty program that rewards hackers for exploiting security vulnerabilities. Many companies operate big bounty programs and usually rewards hackers who exploit the bugs.

This in a way facilitates the companies to strengthen their security of their products. The reward depends on the severity of the drug and Uber pays between $100 to $10,000. In this case, Prakash was paid $5000 and Uber has immediately fixed the bug the day he reported it.
Also Read: Security researchers revealed a new ransomware that targets industrial systems and disrupts key daily process
He explained the process in his blog post and showed how it is done. The bug occurred when specifying the mode of payment. He could specify an invalid payment method expressed in characters like "abc" or "xyz" and thus it bypasses the payment, as a result, the ride would be free.

No comments:

Powered by Blogger.