Hacker nets $5,000 for finding bug that made Uber rides completely free

Oliver Cragg
Uber gears up for landmark court battle with EU top court to evade strict laws

Uber has rewarded a hacker with a $5,000 (£4,075) bounty after discovering a security loophole in the popular 'taxi' app that made all rides completely free. The bug, which has now been fixed, had been confirmed to work in any country where Uber's ride-sharing service is available.

Anand Prakash, a security researcher from Bangalore, India, submitted the payment-dodging loophole to bug bounty platform HackerOne late last year. Uber then gave Prakash full permission to test the bug in both the US and India and successfully triggered the exploit in both regions.

Trending: Which defendants are likely to be a flight risk? AI could help judges make better decisions

Prakash claimed that prior to the fix, "attackers could have misused this by taking unlimited free rides from their Uber account."

In a blog post, the researcher noted that it would have been possible for hackers to spoof Uber's billing system by inserting random characters instead of a valid payment method.

Don't miss: JetSmarter is charging journalists $2,000 if they don't write positive reviews about its service

"Users can create their account on Uber.com and can start riding," he said. "When a ride is completed a user can either pay cash or charge it to their credit/debit card. But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free."

Uber, which offers up to $10,000 to anyone who can expose major security flaws within its system, fixed the bug on the same day it was reported in August 2016, although the loophole had been kept under wraps until Prakash's blog post on 3 March.

Most popular: Over 1.3bn email addresses leaked online as major spam operation exposed

"Uber's bug bounty program works with security researchers all over the world to fix bugs, even when they don't directly impact our users," an Uber spokesperson told TechCrunch. "We appreciate Anand's ongoing contributions and were happy to reward him for an excellent report."

Prakash is highly-rated among the HackerOne community and ranks 14th in Uber's bounty scheme and third for social media giant Twitter. Other tech-related companies that use the service to discover security issues include Snapchat, Slack, Yahoo, Nintendo and Rockstar Games.

You may be interested in: