Uber has fixed a “severe” flaw that allowed hackers to order rides and food on customers’ accounts, at their expense, by using the victim’s email address or phone number.
The bug, which was brought to the company’s attention by Anand Prakesh, a cyber security researcher, in April could also be used to track a Uber customer’s location.
Prakesh was able to access an account’s unique user ID, or “access token”, by supplying a phone number or email address associated with an account to Uber’s Application Programmer Interface (API).
APIs send information from Uber to app developers, typically to ensure that their apps work with Uber, like Google Maps, which allows you to hail a cab from your location.
Uber paid Prakesh $6,500 (£5,300) for bringing it to their attention under its bug bounty programme which classed it as an “8.5 out of 10, severe”. Uber pays up to $50,000 for disclosures. It fixed the bug just days after it was notified.
A spokesman for Uber claimed that it did not believe the flaw had been exploited by criminals. He said that Uber has an automated protection in place that detects suspicious activity, like a login from a new device, and will alert a user either by asking them to confirm the activity or prompting them to reset their credentials.
They said: “Uber’s bug bounty programme has paid over $2m to more than 600 researchers around the world and we’re grateful for their contributions to help protect the Uber platform.”
This method for hijacking accounts was exploited by a hacker who felled Facebook in October 2018.
Using a similar method of stealing “access tokens”, they were able to compromise 30 million Facebook accounts. It is unclear who orchestrated the attack. The Federal Bureau of Investigation opened a probe in October.
Uber, which is currently worth around $57bn, operates in 785 cities around the world.