Indian Hacker Discovered A Vulnerability In Uber App To Get Free Rides For Lifetime

A Vulnerability discovered in Uber app, which allows free rides for the lifetime.

A hacker from Bangalore, in India, has discovered a security vulnerability in the famous Uber app, which allows anyone to get free rides for the lifetime.

The Hacker, Anand Prakash, has posted a video that shows how anyone could have used the security flaw to get free rides for life.

Uber is the San Francisco-based transportation company, the hacker finds the vulnerability in the payment method of Uber. According to Anand, when an invalid payment method is specified that he cannot pay from, the Uber app allows him to rides for free.

Uber allow riding and pay after completion either by credit card or debit card or by cash, wallet or Internet banking.

He demonstrated the vulnerability after taking due permission from the Uber security team. He showed the security team of Uber how he can get free rides in India and in the United States without paying any penny from his account.

He has posted the same details on his blog:

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1

Host: dial.uber.com

{“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}

Steps to get free rides (Already Fixed By Uber):

1) Replay the above request everytime with random characters as payment_method_id.

2) And bang get the rides free.

Proof-Of-Concept Demonstrated.

You need little coding to exploit the bug. However, the security flaw is now fixed by Uber said, “Thanks to the hacker who has saved Uber from a huge loss, if someone would have exploited the flaw and it went unnoticed”.

The company give a bounty of $10,000 for any critical flaw discovered and reported to them.

Uber has rewarded Prakash with a bounty of $13,500 as bug bounty programme. Prakash has already found my bugs and he is the part of Facebook’s White Hat bug bounty programme.

He also found a security bug in Facebook where one can take over anyone’s Facebook account and changes its password. He received a bounty of $15,000 from Facebook.

LEAVE A REPLY

Please enter your comment!
Please enter your name here