A group of Portuguese penetration testers found a total of 15 serious flaws in the Uber app. Result? They received more than 16 thousand euros in compensation.
On March 22, Uber launched a public bug program – known as a bug bounty – that invites users to discover bugs in the platform, in exchange for a fee that varies depending on the severity of the bug found. A few days later, Fábio Pires, Filipe Reis and Vítor Oliveira began to concoct a plan to invade the application and discover vulnerabilities in the system.The three young people, aged between 25 and 27, work in a Portuguese company as penetration testers (or pentesters), who are fundamentally security professionals responsible for finding vulnerabilities in various systems, networks or programs. “This project is not much different from what we do on a daily basis”, stressed Vítor Oliveira to Razão Automóvel.
SEE ALSO: Uber won a battle, but the war continues.
The three young Portuguese people called a car to put the Uber mobile application to the test. Through the laptop – and despite the suspicious look of the driver, the group quickly found the first flaw: by intercepting the communication between the application and the company's server, the trio found a way to access requests made by other platform users and so obtain personal data such as email address and photograph.
After finding the first vulnerability in the Uber application, it didn't take long for them to get to the driver's data, the routes he took and the value of the trips. The youth group devoted their free time in the next two weeks to discovering other flaws in the application. Among the main vulnerabilities are the discovery of the travel history of users of the platform and more than a thousand discount coupons - including a valid code with 100 dollars, which Uber itself did not know - that could be used later. All vulnerabilities are described in detail here.
In total, a total of 15 vulnerabilities have been reported (although already fixed), but due to the fact that some have already been reported, only 8 vulnerabilities will be paid – four have already been paid for. In the end, the three young people received $18,000, the equivalent of €16,300.