A serious bug was rejected from Uber's bug bounty program, and the company has no plans to address the flaw.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A bug in Uber's two-factor authentication system allows hackers to bypass it without entering the correct code, and Uber has said it doesn't plan to fix it.
- With Uber's track record of scandal and breaches, this doesn't bode well for users. Until the bug is fixed it's a good idea to avoid using the app if you're concerned about device security.—TechRepublic
As reported by our sister site ZDNet, Uber has formally acknowledged a bug in its two-factor authentication method, while at the same time saying it didn't require an immediate solution.
Security researcher Karan Saini, who filed a bug with Uber's bug bounty program, reached out to ZDNet after the bug was rejected. Uber's response? It was "informative," meaning "This report contained useful information but did not warrant an immediate action or a fix."
Two-factor authentication is the use of a second code to verify identity after a password is entered. Uber uses it intermittently, reportedly when suspicious activity is detected. In cases where a second factor is required, Uber texts a code to a user's device after they log in.
According to Saini, a bug in how Uber authenticates users makes it easy for hackers to defeat the two-factor prompt without entering the correct code. If it doesn't work, it isn't a real security feature, and "If it's not a security feature, why even have it?" Saini told ZDNet.
SEE: Mobile device computing policy (Tech Pro Research)
Saini also said there's no doubt that malicious actors have discovered the bug—he said it's incredibly easy to discover.
With a reported 40 million active riders per month, that's a lot of credentials that can be stolen and used without having to worry about two-factor lockout.
More Uber problems
This news comes only a few months after Uber was caught trying to hide the theft of 57 million accounts, and less than a year after it was accused of using industrial espionage software against Lyft. Uber's former CEO Travis Kalanick was forced out in the wake of a handful of other scandals, and now it turns out Uber is minimizing the importance of a standard piece of account security.
In its conversation with ZDNet about the bug, Uber said it was aware of the issue, it had been reported before, and the behavior was expected. In short, users of the popular ride share app shouldn't expect its two-factor authentication problems to be solved in the near future.
In a time when stolen Uber credentials can be found for sale on the dark web for as little as dollar, a laissez-faire approach is the last thing users should hope Uber would take.
Uber for Business continues to become more popular as well, and this two-factor failure should give businesses pause, especially since trips on an Uber Business account can be billed directly to a company account.
Until Uber decides to take action by finally completing the two-factor authentication system it began working on in 2015 it's not a bad idea to take an old-fashioned taxi or to hail a Lyft instead.
- Reducing the risks of BYOD in the enterprise (Free PDF) (TechRepublic)
- Judge delays Uber-Waymo trial, slams Uber for withholding evidence (ZDNet)
- Ditching Uber? 8 alternatives for professionals (TechRepublic)
- Uber paid 20-year-old man to hide hack, destroy data (ZDNet)
- Could biometric security have prevented the Uber data breach? (TechRepublic)