Uber refused to fix the bug which compromised two-factor authentication
The security researcher from New Delhi, Karan Saini, has reported about the bug which allows criminals to bypass two-factor authentication (2FA). Unfortunately, Uber says there is no rush to eliminate the vulnerability immediately since it isn't particularly severe.
Uber security flaw is related to the account authentication when the user logs in. 2FA requires a person not only to submit the username and password but also enter the unique code which is sent to his/her phone. As a result of the bug, criminals can easily access accounts by merely bypassing the 2FA with someone's username and password.
Note that nowadays it is quite easy to collect such details since people tend to re-use the same passwords in multiple apps and social media accounts. Criminals can release a legitimate looking Uber log in phishing site to gather credentials and misuse the hacked accounts for their own benefit.
Once Karan Saini reported the bug on HackerOne which administrates Uber's bug bounty scheme, the firm marked it as informative. However, they didn't believe that it warrants an immediate action or a fix. Despite that, Saini has another opinion:
If it's not a security feature, why even have it? There is no need for a novelty 2FA if it doesn't actually serve a purpose.
K. Saini was not the first one to discover the security flaw
According to Uber's bug bounty manager, Lindsey Glovin, they have received several reports about the same bug before. However, the company decided to ignore the flaw for months.
K. Saini says that if multiple security researchers have found the bug, there is no doubt that criminals might have discovered it as well since it is that easy to find.
Likewise, people are advised to avoid using same or similar usernames and passwords in different applications or social media accounts. It is important that the chosen passwords would not contain recognizable words and be secured with upper/lower cases and numbers.
Uber fixes the bug only after it has received media attention
According to K. Saini, Uber's response was dismissive. However, the company says that after Saini's report, they have marked it as informative since the IT experts were already working on the solution and informed him about it.
Despite that, Saini says that they ignored the multiple reports in the first place and agreed to fix the bug only after it has drawn media's attention on Monday.