Uber Reportedly Ignored Security Flaw That Grants Hackers Access to User Accounts

Uber is under fire for reportedly dismissing a security flaw that can allow hackers to bypass the app’s two-factor authentication (2FA) and gain unauthorized access to user accounts. A New Delhi-based security researcher, Karan Saini, discovered the flaw and filed a report with HackerOne, which administers the ride-hailing app’s bug bounty program. According to Saini, however, his report was quickly rejected, with Uber stating it was “informative” but “did not warrant an immediate action or a fix.” “This isn’t a particularly severe report and is likely expected behavior,” said Rob Fletcher, security engineering manager at Uber, in response to Saini’s report. The bug works by exploiting a weakness in how the app authenticates a user when they log in to the platform, explained ZDNet:

“The end result is that the user can log in to an account and easily defeat the two-factor prompt, without entering the correct code. That means anyone could log in to your account with just your email address and password, which can be easily obtained if passwords are reused on other sites that have been breached.”

In recent years, companies like Facebook, Amazon and Google have implemented 2FA to help improve account security and protect users’ personal information. The security feature is yet to be made available to all Uber users, despite the company testing it on its systems since 2015. Uber Spokesperson Melanie Ensign told ZDNet that the company only uses two-factor “when certain requests are deemed suspicious,” and it is “not an account-wide setting used on every device.” Meanwhile, Uber assured the bug “is not a bypass,” and is “likely caused by the security team’s ongoing testing to evaluate and refine the effectiveness of different techniques” to secure accounts.