Anand Prakash, an Indian hacker from Bangalore who found a loop hole in Uber app, if went undiscovered, one could get lifetime free rides via Uber. He showed the invalid payment method that can allow rides for free.

Anand stated that Uber, a San Francisco based transportation company that is used in around 528 cities, has approximately 200 researchers on board who are hired to deal with security issues, missed such a flaw in its security. This could have been a huge loss to the firm if went unnoticed. Anand also said that getting unlimited free rides by Uber is not that easy as one thinks. For his one should be aware of various codes and scripting. Though this flaw is now fixed by Uber, thanks to Anand Prakash.

He demonstrated the bug after taking due permission from Uber team. He showed how someone in India and US can easily travel for free via Uber. He also posted some details on his blog:

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1

Host: dial.uber.com

{“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

“product_id”:”db6779d6-d8da-479f-8ac7-8068f4dade6f”,”payment_method_id”:”xyz”}

Steps to reproduce:

1) Replayed the above request with random characters as payment_method_id.

2) Ride was free.

Anand is an ethical hacker. He makes his money by finding security bugs. Uber rewarded Anand $13,500 (approx 9 lakh) for finding the flaw. Anand is currently one of the top hackers with Facebook’s White Hat bug finding program. He was also awarded by $15,000 (approx 10 lakh) from Facebook, when he discovered the bug in which Facebook profiles can be hacked and passwords can be changed.

Tags: anand prakashbangalorebug in uberFacebookHackerIndiaSan Franciscouber