Uber Confirms Account Takeover Vulnerability Found By Forbes 30 Under 30 Honoree

A security vulnerability has been discovered that could allow attackers to compromise and control any Uber account. The security researcher who found the flaw has revealed that the vulnerability could be exploited to track a user’s location and take rides from their account. As well as Uber users, the same vulnerability impacted Uber driver accounts and Uber Eats accounts.

How a Forbes 30 Under 30 honoree could have hacked your Uber account

Anand Prakash, founder of AppSecure and a Forbes 30 Under 30 honoree, discovered that it was possible for an attacker to exploit the vulnerability via an application programming interface (API) request. This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. "Once you have the leaked Uber UUID from the API request," Prakash said, "you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address." Prakash says that with the mobile apps access token he was able to completely compromise a test account in this way, requesting rides, getting payment information and more. A proof of concept video showing the attack methodology in action can be found here.

Uber learns from mistakes of the past

Uber deservedly got bad press after a data breach in 2016 that saw millions of driver and customers records exposed. The ride-hailing outfit also spent a hefty $148 million (£120 million) to settle legal action brought by the U.S. government and some 50 states following its failure to fully disclose the breach details to regulators. Then things started to change for the better at Uber as far as taking ownership of cybersecurity issues was concerned. On November 21, 2017, Dara Khosrowshahi, CEO at Uber, said "While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Uber responds rapidly to fix security issue

The way that Uber responded to this latest vulnerability disclosure suggests that Khosrowshahi was not just paying lip-service to cybersecurity. "Uber was very quick in rectifying the vulnerability after my report," Prakash says. Indeed, having reported the issue to Uber via the HackerOne bug bounty platform on April 19, Uber had implemented a fix by April 26. Uber had also paid Prakash a bounty of $6500 (£5275) to add to his already impressive reward tally. While not yet one of the HackerOne hackers who have already become millionaires, if he keeps on finding vulnerabilities at this rate, it's only a matter of time.

Prevention is better than cure

I asked Prakash what organizations should be doing to prevent this kind of vulnerability. "Organizations should perform secure code reviews and open up bug bounty programs when they have an internal security team," Prakash says, "but no one can make sure a system is 100% secure, that's why people like me exist to help make the internet a safer place." One thing's for sure, Prakash is helping make Uber a safer place; he's currently ranked number four in the HackerOne platform Uber bounty program thanks with a whole bunch of vulnerabilities disclosed, subsequently fixed and bounties paid.

An Uber spokesperson says that “Uber's bug bounty program has paid over $2 million (£1.6 million) to more than 600 researchers around the world and we're grateful for their contributions to help protect the Uber platform.”

—

Updated September 12: This article was updated to include a statement from Uber.