Hackers can do anything nowadays. In a show of this recently gained power, three hackers discovered flaws in the Uber software that allowed them to create fake driver accounts and also revealed user emails to the hackers. The flaws that the three hackers discovered also gave them access to about 1,000 valid coupon codes on the Uber system and one of the codes gave drivers an extra $100 for a fare ride.
Fortunately, the ‘white hat hackers’ gave the company a ring and notified them of the flaws. The company confirmed that they were working on repairing the holes that had been disclosed.
The team of three which comprises of Vito Oliveira, Fabio Pires and Filipe Reis are all employed at the Portuguese based consultancy firm, Integrity. They also helped when contacted for comment and described the flaws in detail. They only talked about the already fixed ones and said the other ones would be kept hidden until Uber could fix all of them.
The hackers said that they entered the Uber network and after a few hours they could already see two open redirects which they reported the moment they saw it. They said that from their own viewpoint, the security team was supposed to take the issues seen as seriously as they could and try to solve them as soon as possible.
The trio also described, in detail, how they had managed to chain the flaws that were there in order to create and generate even more elaborate and dangerous attack experiments. Through these scenarios, they gained access to the personal information of users, the device data, and the various trip histories for the drivers and riders involved on the Uber platform.
They also mentioned how they had abused the Uber help section, where they search for the user email addresses, then entered the requests of the fare split and managed to look at the users picture. They could also see the UUID, the phone number of the passenger and also get the trip details for the passenger and the driver including the full directions and the fares all of which can be plotted on maps.
The group also says they managed to manipulate the Uber driver activation account and created and validated fake driver accounts. After using brute force checks, the three say they managed to discover thousands of discount coupons. The group said the most available of the discount codes they discovered was the $100 worth Emergency Ride Home code, that gives drivers and extra $100 on top of their regular fares when applied.
The trio applauded the efforts of Uber in trying to resolve the issues and their responsiveness but refused to comment on how much they received as part of their efforts under Uber bounty program.