A critical weakness was recently found in the Uber app- a ride-sharing app-; even though has not been acknowledged as a flaw by Uber. This vulnerability allows for free rides to the value of $25,000 and was identified by an Egyptian independent security researcher, Mohamed M. Fouad. Mohamed, in his research, identified this flaw and after several reports to Uber, made a video demonstrating the hacking attack.
The flaw was uncovered in the Uber app with the assistance of unlimited personal promotional codes, allowing Uber users to utilize this service by claiming free rides. This can be achieved through repeatedly applying brutal forcing to the system and seizing free promotional codes from other customers. This sanctions the hacker to earn from one free ride to a staggering $25,000 worth of free rides from Uber. Now, for those who didn’t know, there are two types of Uber promotional codes, namely: Public invitation promotional codes, generally directed towards new users; and “Emergency Ride” hidden or private promotional codes.
The hack was found in the URL- get.uber.com/invite– and Mohamed stated in his blog that this was due to a lack of protection against attacks using brute force. This specific URL is utilized by users to send invitations to any other user and through this URL he was able to obtain various promotional codes with values ranging from $5000 up to $25,000. It is however unclear at this point whether these high-value promotional codes could be related to other modes of transport, such as air transport.
Mohamed stated that this vulnerability was reported to Uber several times and yet, Uber regards this as fraud, continuously referring the matter to their fraud team. This is not the first case reported, as other flaws have been pointed out to Uber with similar results of denial. Furthermore, avoiding these vulnerabilities on the Uber app poses the possibility for fraudulent incidents to occur. Thus with the hacking clearly being a possibility, it is surprising the Uber denies allegations.