How Bangalore techie earned $5,000 by fixing a bug in Uber
While the government is busy filing complaints against those who find security flaws in Aadhaar or Unique Identification (UID), it can take a lesson or two from cab aggregator Uber on how to deal with such situations.
Yes, instead of "punishing" people for pointing out flaws, it rewards the person concerned.
Anand Prakash, an Indian security engineer and a renowned white-hat hacker, helped Uber prevent potentially huge losses by pointing out a bug in the system. The bug allowed users to take unlimited free rides. How did Uber react to this information? They rewarded Prakash with $5,000.
Prakash, who has in the past pointed out a security defect in Facebook that allowed hackers to brute force password of any account through the beta websites of Facebook, and was rewarded with $ 15,000 for it, has now made a name for himself by pointing out security loopholes in websites.
In his blog, Prakash demonstrated just how dangerous this bug could prove to be. He claims that he took Uber’s permission and took free rides in United States and India. He says that he wasn't charged for a single one of them, despite using multiple payment methods.
 |
| Anand Prakash is an Indian security engineer and a renowned white-hat hacker. [Photo: Huffington Post] |
What any hacker would have to do, which he also illustrates in a video on his blog, is essentially place random characters in the payment field through the code. And voila! Unlimited free rides. The bug occurred when specifying a method of payment.
Prakash demonestrated in his video that he could specify an invalid payment method, expressed in a simple string of characters like “abc” or “xyz,” and not be billed for the ride.
Uber responded with exceptional gusto to his report and through their bounty programme, which works with security researchers all over the world to help fix bugs, rewarded the Bangalore-based techie with $5,000.
Speaking to TechCrunch, an Uber spokesperson said, “Uber’s bug bounty program works with security researchers all over the world to fix bugs, even when they don’t directly impact our users. We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report".