Bugs, depending on their severity, can drastically affect the quality of the service and the satisfaction of users. Therefore, a large number of companies with highly popular services created their own bug bounty program which rewards people who discover to be compensated for their work, rather than exploit them for their own interest.
Uber has recently revealed that it was able to fix a bug discovered by Anand Prakash, a security researcher who first discovered it back in August 2016. The Uber bug allowed those who use it to actually receive free rides any time they wanted in various locations. Prakash was able to receive official permission from Uber to test out the bug in both India and the United States, where he actually managed to successfully exploit it in an official capacity.
Discovering bugs in popular services and reporting them for cash is a good way to make an earnest living as a hacker or security researchers. Companies tend to pay in proportion to the severity and the impact of the bug for their service. In this case, Prakash received $5,000 after reporting the Uber bug in question.
Uber managed to fix the specific bug the very same day it was reported, but Prakash decided to wait until now in order to publicly discuss it. He explained the specifics of the Uber bug in a blog post, stating hackers could have used it to take unlimited free rides from their account. The blog post also contained a proof-of-concept video showing how the bug actually worked.
According to Prakash, the infamous bug occurred when users chose their method of payment. More specifically, when the billing options appear, he could specify an invalid payment method, in various forms such as a string of characters as simple as “abc”. This somehow passed as valid, despite the user was not billed for the ride.
Uber also released a statement thanking Anand’s efforts and his ongoing contributions, as the company was happy to compensate him for his bug report. Prakash is also working with other companies like Facebook to discover various bugs, which he can report for a cash reward.
What do you think about this Uber bug? Would you have reported it or just exploit it?