Uber Technologies Inc.
Uber is an online transportation network company headquartered in San Francisco, California, with operations in 528 cities worldwide.
So, what happens if someone finds a way to ride for free in Uber, it will make a loss. Recently, an Indian Security researcher named Anand Prakash discovered a bug in August last received permissions from Uber.
To test the bug in the India and around the U.S.
Prakash reported the issue through the Company’s Bug Bounty program, also as a reward, he was given $5000 for helping them discover the bug.
He was then able to successfully exploit the bug within Ubers software and was able to get unlimited free rides in India as well as in the U.S.
The bug occurred when specifying a method of payment. Prakash showed in a proof-of-concept video that he was able to specify an invalid method of payment, expressed in a simple string of characters like “xyz” or “abc”, and not be billed for the ride.
Vulnerable request :
“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}
Attackers could have misused this by taking unlimited free rides from their uber account.
– Anand Prakash
However Uber has fixed the same day Mr. Anand Prakash has reported the bug.
you can Find proof-of-concept video in his blog post.
Credits: Pawan Kumar