Indian researcher finds bug that allowed free Uber rides

Indian security researcher Anand Prakash discovered a bug in Uber's code last August that allowed free Uber rides. When Prakash reported the issue through Uber’s bug bounty program, he got permissions to test it in both India and the US. Incidentally, Prakash was able to successfully exploit the bug, getting free rides in both locations.

The ride-hailing company has now fixed the bug and rewarded Prakash with a $5,000 sum. Many tech firms run bug bounty programs to enhance the security of their products. Hackers can make between $100 – $10,000 at Uber depending on the severity of the bug and whether it impacts other users.

“Attackers could have misused this by taking unlimited free rides from their uber account,” he explained in a blog post describing the issue.

The bug occurred when specifying a method of payment. Prakash showed in a proof-of-concept video that he could specify an invalid payment method, expressed in a simple string of characters like “abc” or “xyz,” and not be billed for the ride.

"Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report," Uber responded.