Bengaluru ethical hacker finds Uber bug giving lifetime of free rides, gets $5000 reward

Anand has also spotted bugs in major multinationals like Google, Twitter, RedHat, Adobe, PayPal to name a few.

Atom Tech

A Bengaluru-based ethical hacker, Anand Prakash was handsomely rewarded for spotting a bug in popular multinational cab aggregator, Uber’s app by which one can ride cabs for free in India and the US.

Prakash, who is from Rajasthan identifies himself as a bug bounty hunter, was duly rewarded $5000 by the company for his discovery, potentially saving Uber a significant amount of money.

On Friday, Prakash posted an article on his blog titled, ‘How anyone could have used Uber to ride for free’ along with a video demonstrating the fault in Uber’s code. He goes on to explain how someone with knowledge of scripting could have exploited this loophole.

In his blog, Praskash writes, “For demonstrating the bug, I took permission from Uber Team and took free rides in United States and India and I wasn't charged from any of my payment methods.”

The bug as described by Prakash was that a user could create an account on their portal, start a ride and at the end of the trip, they can pay either by cash or credit/debit cards. But if one tweaked the programming code and changed the payment method by replacing one part of the code with any other random characters, they would get the ride for free.

This $5000 bounty is not the first feather in the former Flipkart employee’s hat. From Uber alone he had earned a total of $13500 by reporting bugs, which are mostly related to data leaks.

“Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” an Uber spokesperson was quoted in TechCruch.

In the past, he has also been rewarded $15,000 for spotting a bug on Facebook (along with 90 others), by which any user could change another’s password.

The 24-year-old has also spotted bugs in major multinationals like Google, Twitter, RedHat, Adobe, PayPal to name a few.

The Vellore Institute of Technology-alumnus got interested in hacking in his pre-engineering days, when he found a loophole to use mobile data for free.