Recently, a security researcher found a security bug in Uber’s two-factor-authentication system. This flaw could allow hackers to infiltrate users’ accounts with ease.
Uber’s only comment on the situation is that the issue wasn’t that severe.
The security researcher behind findings is Karan Saini, a New Delhi based cyber security analyst.
Saini sent the information he found to HackerOne, who manages Uber’s security bug program.
Saini’s report rejected.
If you don’t know already, 2FA (Two Factor Authentification) works by sending a code through a text message to the user’s phone, where they then must verify their identity.
Report from Saini
Saini, in his report, detailed the way how there is a flaw in two-factor authentication of Uber platform.
Hackers can impersonate the user, signing into their account via email and password.
The attacker doesn’t even need to enter the security code to bypass the account security, thanks to the Uber’s 2FA security flaw in question.
Once in, the hacker can view past actions by looking through the app. The attacker can take note of addresses that victim entered before as well as whatever payment methods exist in the app.
The snooper also has the option of booking a new trip from the compromised account.
How about going to Airport fly on a flight to Los Angeles without you knowing?
Uber listed Saini’s report as “informative.” That, according to Uber, gestures, that although the report contained useful information inside; still, there was no need to take immediate action.
There are several bug bounty programs out there that lack the needed accountability and integrity required to operate them. Being laconic and seemingly—but not actually—transparent is only bound to inculcate distrust between security teams and researchers.
— Karan Saini (@squeal) January 23, 2018
Rob Fletcher, the Uber Security Engineering Manager, was the one to get in touch with Saini on the report.
He told Saini that the bug was there and that it wasn’t severe enough to warrant an immediate fix.
Fletcher also dished out a valuable piece of information. Two-factor authentication isn’t even an action across the board. They only turn 2FA ON when requests seem suspicious.
Lindsey Glovin, a bug program manager for Uber, also commented on the report.
Glovin said that Uber had gotten many reports in regards to the TFA bug. But, they ignored in favor of “testing other alternatives.”
Saini balked at Uber’s response. He commented that the TFA system was pointless if not used as a security feature.
He went on to say that hackers have no doubt discovered the bug since it was easy to spot.
Uber’s leaked username and passwords For sale online, since 2015
Uber credentials have been a big proponent of the black market. They sell for as low as a $1 for each username and password.
Uber is no stranger to being in the news for criticism. They reportedly tried to cover up a data breach in 2016 – by paying off the hackers (an amount of $100,000) to sweep the violation under the rug.
Over 59 million users of the car-sharing app were affected by this attack around the globe.
Although, Uber released a statement about Saini’s bug report. They brushed off the seriousness surrounding the situation.
They claimed that the bug was a result of their security team testing and finding different options to improve the app.
Melanie Ensign, a spokesperson for Uber, commented further on the situation. She said, Uber has been working to develop solutions – for millions of users who reported lost or stolen phones, and in return cannot get codes on the device.
Final Statement from Uber
Uber released a final statement declaring that they fixed the bug in question – before reports started coming out against them.
Saini found this suspicious.
In his final comment about the situation, he questioned how Uber was able to fix the bug.
Almost an hour after reports on it broke through.
Uber had been assuring critics that they were working on a long-term fix for months at their end.
He then went on to bash Uber for hiding their actions. He said trust could not get build among a company and its customers if complete transparency is not there.
Uber has not responded to requests for a comment on the matter.