Home / Tech News / Researcher finds bug that allowed free Uber rides

Researcher finds bug that allowed free Uber rides



Uber has patched a bug in its code that allowed a researcher — and anyone else who might’ve discovered the problem — to hail Uber rides without paying for them.

Anand Prakash, a security researcher, discovered the bug in August and received permission from Uber to test it in the U.S. and India. He was able to successfully exploit the bug, getting free rides in both locations.

Prakash reported the issue through Uber’s bug bounty program, which rewards hackers with cash for finding and reporting security vulnerabilities. Many tech companies operate bug bounty programs as a way to strengthen the security of their products. Hackers can make between $100 – $10,000 at Uber depending on the severity of the bug and whether it impacts other users. Uber fixed the bug the same day Prakash reported it and paid him $5,000, but Prakash waited until this week to publicly discuss the bug.

“Attackers could have misused this by taking unlimited free rides from their uber account,” he explained in a blog post describing the issue.

The bug occurred when specifying a method of payment. Prakash showed in a proof-of-concept video that he could specify an invalid payment method, expressed in a simple string of characters like “abc” or “xyz,” and not be billed for the ride.