Indian hacker finds a bug in Uber that allows free rides for life

An ethical hacker from Bengaluru has saved the ride-haling service provider Uber a massive headache. Anand Prakash who is a top-ranked hacker for Facebook’s bug bounty programme, has revealed a bug in Uber’s payment services that could have been used for unlimited lifetime free rides anywhere in the world.

“Attackers could have misused this by taking unlimited free rides from their Uber account,” Anand wrote in his blog post . He reported the issue through Uber’s bug bounty program in August 2016 and also received a cash prize of $5000 from Uber.

“Uber’s bug bounty programme works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” said an Uber spokesperson.

Uber users pay for a ride either by cash or charge it to their credit or debit card but what Prakash noted that by specifying an invalid payment method for abc, xyz etc, he could ride Uber for free.  He received permission from Uber for demonstrating the bug in US and India. While the bug was immediately fixed by Uber, Prakash disclosed the bug in his blog, only after he received approval from the company to do so. He has explained more about this bug through a video on his blog.

This is not the first such achievement of Prakash. The white hat hacker has also been rewarded by companies like Facebook, Twitter, Adobe  and Google among others. He has earlier received a cash prize of $15000 from Facebook for finding a bug in the Facebook’s password system.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s