Anand Prakash, a security researcher, found a bug last year in Uber’s application that allowed him to get free rides with the company’s car-hailing service.
He reported the issue to Uber, which gave him permission to test the bug in the United States as well as India. In both locations, Prakash was able to get free rides with Uber.
The issue was reported through Uber’s bug bounty program, where payouts range from $100 to $10,000 depending on the severity of the vulnerability and the impact to Uber’s business.
The bug in question cropped up when choosing a payment method. While the bug was unpatched, users could specify an invalid payment method like ‘xyz’ or ‘abc’ and not be billed for the ride.
The bug was patched the same day that it was reported by Prakash, and he received compensation of $5,000 as part of the bug bounty program. However, he waiting until this week to publish his findings and a proof-of-concept video showing how he exploited the bug.
Prakash also gave a detailed explanation about the bug and the vulnerable request, and posted the video on his blog here.
Bug bounties can be highly lucrative for ethical hackers. Some zero-day vulnerabilities on widely used applications can fetch them hundreds of thousands of dollars. But it doesn’t always work in the company’s favor.
For example, Apple is known to offer up to $200,000 for iOS zero-day vulnerabilities found by security researchers. But in September, well-known exploit acquisition firm Zerodium was offering $1.5 million for a successful iOS 10 jailbreak. In fact, they paid out $1,000,000 to one hacker team that created a browser-based jailbreak for iOS 9.1 and 9.2.
Zerodium’s offer of $1.5 million for an iOS 10 remote jailbreak still stands, with payouts going down to ‘up to $10,000’ for bugs on open source CMS applications like WordPress, Joomla and Drupal.
Thanks for reading our work! Please bookmark 1redDrop.com to keep tabs on the hottest, most happening tech and business news from around the world. On Apple News, please favorite the 1redDrop channel to get us in your news feed.