CVAugbanner.gif

Uber has fixed a high severity bug found by a tech bug bounty hunter

12 Sep 2019

Ride-haling firm Uber has fixed a “high” severity bug found by a tech bug bounty hunter.

The flaw found by Anand Prakash back in April allowed would-be hackers to book rides and food on Uber customers’ accounts by using the account holder’s email address or phone number. 

The tech security researcher summarised the bug on Hackerone.com, a site which pays bounties for bugs found on certain platforms like Uber’s, as ‘using the API token attacker could have gained full access to driver/rider account’.

Uber paid out $6,500 (£5,300) to Prakesh for finding the bug under its bug bounty programme on Hackerone. Uber closed the bug submitted as resolved and rated the severity of the glitch as ‘High’.

Uber said in its summary of the bug: “It was possible for an attacker to insert another user’s UUID into the userUuid POST parameter when making a request to https://bonjour.uber.com/marketplace/_rpc?rpc=getConsentScreenDetails, allowing them to retrieve personal data from the victim user’s account, as well as the user's mobile auth token, which could allow them to make requests to mobile APIs as the victim.” 

Please reload

  • Facebook
  • Twitter
  • YouTube Social  Icon
  • Instagram Social Icon
  • Facebook TaxiPoint
  • Twitter TaxiPoint
  • YouTube TaxiPoint
  • Instagram
ltda banner.JPG
M29144_Taxi_Point_Footer_720x200px.gif
Market Footer .gif
TaxiPoint- 300x200px Taxi GIF PLAN AUG 2
private hire cover from Utility Saving Expert
advert gif.GIF
ltpr.GIF
300x200main.gif
RSS Feed

The views expressed in this publication are not necessarily those of the publishers.

 

All written and image rights are reserved by authors displayed. Creative Common image licenses displayed where applicable.

Reproduction in whole or in part without prior permission from the publisher is strictly prohibited.

All written content Copyright of TaxiPoint 2020.