Uber has fixed a high severity bug found by a tech bug bounty hunter


Ride-haling firm Uber has fixed a “high” severity bug found by a tech bug bounty hunter. The flaw found by Anand Prakash back in April allowed would-be hackers to book rides and food on Uber customers’ accounts by using the account holder’s email address or phone number. 

The tech security researcher summarised the bug on Hackerone.com, a site which pays bounties for bugs found on certain platforms like Uber’s, as ‘using the API token attacker could have gained full access to driver/rider account’. Uber paid out $6,500 (£5,300) to Prakesh for finding the bug under its bug bounty programme on Hackerone. Uber closed the bug submitted as resolved and rated the severity of the glitch as ‘High’. Uber said in its summary of the bug: “It was possible for an attacker to insert another user’s UUID into the userUuid POST parameter when making a request to https://bonjour.uber.com/marketplace/_rpc?rpc=getConsentScreenDetails, allowing them to retrieve personal data from the victim user’s account, as well as the user's mobile auth token, which could allow them to make requests to mobile APIs as the victim.” 

CVAugbanner.gif
  • Facebook TaxiPoint
  • Twitter TaxiPoint
  • YouTube TaxiPoint
  • Instagram
ltda banner.JPG

TRENDING...

VEHICLE...

Cabbies Do Kili Oct Footer Banner.jpg
Market Footer .gif

COVID-19...

ltpr.GIF
TAXI INSURANCE MMC October 2020.gif
TaxiPoint- 300x200px Taxi GIF PLAN AUG 2
private hire cover from Utility Saving Expert

The views expressed in this publication are not necessarily those of the publishers.

All written and image rights are reserved by authors displayed. Creative Common image licenses displayed where applicable.

Reproduction in whole or in part without prior permission from the publisher is strictly prohibited.

All written content Copyright of TaxiPoint 2020.