Cabvision TaxiPoint GIF.gif

Uber has fixed a high severity bug found by a tech bug bounty hunter

12 Sep 2019

Ride-haling firm Uber has fixed a “high” severity bug found by a tech bug bounty hunter.

The flaw found by Anand Prakash back in April allowed would-be hackers to book rides and food on Uber customers’ accounts by using the account holder’s email address or phone number. 

The tech security researcher summarised the bug on Hackerone.com, a site which pays bounties for bugs found on certain platforms like Uber’s, as ‘using the API token attacker could have gained full access to driver/rider account’.

Uber paid out $6,500 (£5,300) to Prakesh for finding the bug under its bug bounty programme on Hackerone. Uber closed the bug submitted as resolved and rated the severity of the glitch as ‘High’.

Uber said in its summary of the bug: “It was possible for an attacker to insert another user’s UUID into the userUuid POST parameter when making a request to https://bonjour.uber.com/marketplace/_rpc?rpc=getConsentScreenDetails, allowing them to retrieve personal data from the victim user’s account, as well as the user's mobile auth token, which could allow them to make requests to mobile APIs as the victim.” 

Please reload

  • Facebook
  • Twitter
  • YouTube Social  Icon
  • Instagram Social Icon
  • Facebook TaxiPoint
  • Twitter TaxiPoint
  • YouTube TaxiPoint
  • Instagram

Featured Stories

Please reload

ltda banner.JPG
black.gif
TaxiPoint--300x200px-MLP-GIF.gif
advert gif.GIF
advert gif.GIF
advert gif.GIF
RSS Feed

The views expressed in this publication are not necessarily those of the publishers.

 

All written and image rights are reserved by authors displayed.

Reproduction in whole or in part without prior permission from the publisher is strictly prohibited.

All written content Copyright of TaxiPoint 2019. Creative Common image licenses displayed where applicable.