Uber dismissive about security flaw that lets hackers bypass its 2FA

Uber has no plans to fix a critical security flaw in its two-factor authentication (2FA) protocol reported by an IT security researcher.

An Indian IT security researcher Karan Saini has discovered a critical security flaw in the two-factor authentication protocol used by the ride-hailing giant Uber to protect user accounts from hijacking and prevent their data from hackers.

The flaw, on the other hand, allows attackers to bypass 2FA that could apparently lead them to perform a number of malicious acts including hacking a targeted account, change its username and password and book expensive rides etc.

More: Uber users beware; Faketoken Android malware hits ride-sharing apps

Simply put, 2FA is an extra layer of security that is known as “multi-factor authentication” that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token or a code.

Uber not serious about fixing the bug

In Uber’s case, Siani reported his findings to Uber’s bug bounty program on HackerOne, who acknowledged that there is indeed a bug in its two-factor authentication but at the same time the company downplayed the severity of it and stated that his findings were informative but “this report contained useful information but did not warrant an immediate action or a fix.”

Uber uses two-factor authentication in case of suspicious login activity and sends the second code to the user’s device in order to verify their identity. Uber has been testing the 2FA feature since 2015 however, Siani’s findings highlighted how a hacker can bypass 2FA security without even entering the correct code.

According to a statement to ZDNet, Uber spokesperson Melanie Ensign said that the bug was not a bypass but could be caused by ongoing security testing the company is conducting on the app.

“We’ve been testing different solutions since we received a lot of user complaints about requiring 2FA on [an Uber web address which we are redacting per our decision to not reveal specifics of the bug] when people are trying to report a lost or stolen phone and can’t receive a code on that device, Ensign told ZDNet.

“We believe those tests are causing both the existence and inconsistency of this issue.”

Not for the first time 

If you are a hacker or security researcher keen to report vulnerabilities to Uber you have to be sure about the severeness of it as you never know what is serious for the company and what not. However, this is not the first time that Uber has rejected someone’s findings regarding the presence of critical security flaws in its online infrastructure. In December 2017, a security researcher Gregory Perry reported his findings to Uber bug bounty program on HackerOne but in return, the company rejected his findings.

In his blog post “How I Got Paid $0 From the Uber Security Bug Bounty” Perry described his experience with Uber and labeled its bug bounty program as “completely bogus.”

Uber pays to cybercriminals but not to the good guys

Last time when Uber was in news regarding its security was in November 2017 when Bloomberg reported that the ride-hailing giant suffered a massive security breach in October 2016 in which hackers stole private details of around 75 million Uber users. In return, the company paid $100,000 to hackers to hide the breach.

In the breach, two hackers stole files containing names and license numbers of 600,000 drivers from the US and personal data such as names, email IDs and mobile phone numbers of 57 million Uber users from across the globe. 

More: Uber users beware; Faketoken Android malware hits ride-sharing apps

If Uber keeps on treating the good guys like Saini and Perry in such a negative manner, it is quite possible that reluctant security researchers might simply stop reporting their findings to Uber which could be disastrous for the company. Remember, companies like Google and Microsoft have their own security teams yet they depend on independent security researchers and firms to report the existence of vulnerabilities and malware in the system and it has been quite successful for both.

Image credit: DepositPhotos/Simpson33

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.