Security

Uber calls bug allowing hackers to bypass two-factor authentication 'expected behavior'

A serious bug was rejected from Uber's bug bounty program, and the company has no plans to address the flaw.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A bug in Uber's two-factor authentication system allows hackers to bypass it without entering the correct code, and Uber has said it doesn't plan to fix it.
  • With Uber's track record of scandal and breaches, this doesn't bode well for users. Until the bug is fixed it's a good idea to avoid using the app if you're concerned about device security.—TechRepublic

As reported by our sister site ZDNet, Uber has formally acknowledged a bug in its two-factor authentication method, while at the same time saying it didn't require an immediate solution.

Security researcher Karan Saini, who filed a bug with Uber's bug bounty program, reached out to ZDNet after the bug was rejected. Uber's response? It was "informative," meaning "This report contained useful information but did not warrant an immediate action or a fix."

Two-factor authentication is the use of a second code to verify identity after a password is entered. Uber uses it intermittently, reportedly when suspicious activity is detected. In cases where a second factor is required, Uber texts a code to a user's device after they log in.

According to Saini, a bug in how Uber authenticates users makes it easy for hackers to defeat the two-factor prompt without entering the correct code. If it doesn't work, it isn't a real security feature, and "If it's not a security feature, why even have it?" Saini told ZDNet.

SEE: Mobile device computing policy (Tech Pro Research)

Saini also said there's no doubt that malicious actors have discovered the bug—he said it's incredibly easy to discover.

With a reported 40 million active riders per month, that's a lot of credentials that can be stolen and used without having to worry about two-factor lockout.

More Uber problems

This news comes only a few months after Uber was caught trying to hide the theft of 57 million accounts, and less than a year after it was accused of using industrial espionage software against Lyft. Uber's former CEO Travis Kalanick was forced out in the wake of a handful of other scandals, and now it turns out Uber is minimizing the importance of a standard piece of account security.

In its conversation with ZDNet about the bug, Uber said it was aware of the issue, it had been reported before, and the behavior was expected. In short, users of the popular ride share app shouldn't expect its two-factor authentication problems to be solved in the near future.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

In a time when stolen Uber credentials can be found for sale on the dark web for as little as dollar, a laissez-faire approach is the last thing users should hope Uber would take.

Uber for Business continues to become more popular as well, and this two-factor failure should give businesses pause, especially since trips on an Uber Business account can be billed directly to a company account.

Until Uber decides to take action by finally completing the two-factor authentication system it began working on in 2015 it's not a bad idea to take an old-fashioned taxi or to hail a Lyft instead.

Pablo Blazquez Dominguez, Getty Images

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox