Short Bytes: An independent security researcher has found a critical vulnerability in Uber’s app that allows an attacker to brute force the invite URL and grab unlimited promo codes up to $25,000 for unlimited free rides. However, Uber has refused to acknowledge the flaw and passed the bug report to its fraud team.
An Egyptian security researcher has uncovered a flaw in the ride-sharing app Uber, that allows a customer to use Uber service for free with the help of unlimited promotional codes.
This critical vulnerability is exploited by brute forcing the system repeatedly and grabbing other people’s free promo codes. This Uber promo code hack lets a person earn up to $25,000 for more than one free ride.
The hacker, named Mohamed M.Fouad found this vulnerability in the URL get.uber.com/invite/<code_name>, which is used to sent an invitation to any other user.
In his blog, Mohamed writes that he found lack of protection against any type of brute force attacks. This gave him a chance to get different promo codes with “high amounts in dollar currency between 5,000$ to 25,000$”.
These high-value codes may be related to some other vehicles–like a helicopter–other than cars.
The security researcher has also made a demonstration video, showing this Uber hacking attack in work. Here’s the video:
You might not be knowing that Uber promo codes are of two types — public invite promo codes and hidden/private “Emergency Ride” code.
While public codes are generally meant for the new users, this Uber promo code hack lets an existing user to use them to get free rides. Also, by coincidence, an attacker can get a valid Emergency Ride code that’s supposed to be hidden.
Surprisingly, Uber has refused to acknowledge this finding related to Uber promo code hack and called the flaw out of the scope.
Mohamed says that he has reported this vulnerability repeatedly but Uber considers this as fraud and sends the request to the fraud team.
Did you find this article interesting? Don’t forget to drop your feedback in the comments section below.