Ethical hacker Anand Prakash has been awarded Rs 2 lakhs for discovering and reporting a bug in Uber’s system which would have allowed him to enjoy as many free rides as he pleased, at least until someone else discovered the flaw. He has uploaded a video to YouTube (see below) to demonstrate exactly how he was able to carry out the exploit.
An attacker need not have signed up for multiple user accounts in order to take advantage of the flaw. The bug would have allowed them to take as many free rides as they wanted from just one Uber account.
Rides can be paid for via cash or card. By inserting random characters in the payment field through the code, a hacker would have been able to hail an Uber through the system at no charge at all.
Upon presenting the glitch to Uber, Prakash was granted permission to demonstrate the bug in India and the US. Rightly enough, he was able to get rides for free and was rewarded $3000 for his efforts. As any similar company servicing over 500 global cities would have done, Uber quickly patched the flaw; so no point trying to use the method shown in the video to score a free drop.
This is not the first time white-hat hacker Anand Prakash has made the news and given inspiration to bug bounty hunters the world over. The security engineer has been spotting hiccups like this on various platforms including Facebook and Zomato. He’s even been on Twitter’s list of top hackers from 2014 to 2016. And well, 2017 has just begun.
Check out Prakash’s blog post for more details.
