Indian hacker reveals loophole in Uber app for lifetime of free rides

A hacker from Bangalore, in India, has uncovered a security loophole in the famous Uber app, which allows anyone to get lifetime of free rides. Yes, you heard it right — never pay Uber for your rides, ever!

The hacker, Anand Prakash, has revealed a video that shows us how anyone could have used the loophole within the Uber app to gain free rides for life. He mentions that the San Francisco-based transportation company, which has around 528 cities in its portfolio, has a security flaw. When a user creates an account on their portal and start riding, he can riding and pay after completion, either by credit or debit card or by cash or a wallet. However, when he specified an invalid payment method that he cannot pay from, the Uber app allowed him to ride for free.

He demonstrated the bug after taking due permissions from the Uber team. He showed the team how he could ride for free with the flaw in India and in the United States, and he wasn’t charged a penny.

He has posted the same details on his blog, as follows:

Vulnerable request:

POST /api/dial/v2/requests HTTP/1.1

Host: dial.uber.com

{"start_latitude":12.925151699999999,"start_longitude":77.6657536,

"product_id":"db6779d6-d8da-479f-8ac7-8068f4dade6f","payment_method_id":"xyz"}

Steps to reproduce:

1) Replayed the above request with random characters as payment_method_id.

2) Ride was free.

The proof of concept was demonstrated in the video below:

The hack may not be as simple as one thinks and cannot be easily replicated by any common user. You need to know a little scripting and coding and you could do the same too. However, the security flaw is now fixed by Uber — thanks to the hacker who has saved Uber from a huge loss, if someone would have exploited the flaw and it went unnoticed.

Uber’s security programme has around 200 researchers onboard who deal with bugs and exploits. The company pays up to $10,000 as an award for any critical issues identified and reported to them. Prakash is an ethical hacker and makes a living from finding security bugs. Uber has rewarded Prakash around $13,500 as a bounty programme. Prakash is also presently one of the top hackers with Facebook’s White Hat bug finding programme. He was the one to find the security flaw with Facebook where one can take over anyone’s Facebook account and change its password with ease. He received an award of $15,000 from Facebook.