Uber is once again in the limelight, with a new year new tale. Last year, it shocked everyone when it was reported that about 57 million records of customers and driver’s data were accessed in a security breach that Uber concealed by paying the hackers to delete the stolen data. In lasts years issues, hackers accessed the company’s GitHub site and obtained credentials which they then used to log into the company’s Amazon Web Services (AWS) account. It’s on this account that hackers obtained an archive which contained the customers and driver’s data. This year’s incident is no different as it’s also about security matters.
Its reported that Uber has two-factor authentication (2FA) system in place, but there’s a bug in it. This bug allows an attacker to gain access to a user account by passing the 2FA system. But since the bug was reported, Uber has ignored it saying that the bug isn’t a severe issue. 2FA is a system which adds an extra layer of security to one’s account be it Facebook, Google as long as it is supported. 2FA system works when someone is trying to access your account with wrong credentials, or when you use a new device to sign into your account or when suspicious activity is detected. It’s also useful for unlocking a locked account. Usually, you get a code to, i.e. your phone which only you have access to.
In 2015, Uber began testing 2FA on its systems, and until now only some users have the feature implemented in their accounts. Users with the feature regularly use the codes to log into their accounts. But according to Karan Saini, a New Delhi-based security researcher, this extra layer of security can be bypassed hence making 2FA a novelty useless feature. Saini who found the bug filed a bug report with Hacker One which is responsible for Uber’s bounty program, but his report was rejected. According to Hacker One, Uber deemed the bug report as informative; that is, it contains useful information, but it doesn’t warrant an action or a fix. In a correspondence to the bug report, Rob Fletcher the security engineering manager at Uber said: “this isn’t a particularly severe report and is likely expected behavior.” In the report, Fletcher also told Saini that the 2FA is not available on every device and its only used when certain requests are deemed suspicious.
According to Saini’s documentation, there’s a weakness in how Uber’s authentication system works. The bug exploits the weakness when a user tries to log into their account. By exploiting the weakness, a user can log into an account even without entering a correct code, and this defeats what two-factor authentication was meant to do. With this weakness, an attacker who has access to users’ email and password especially after last year’s breach, can easily log into their accounts. It is also risky as Uber accounts are regularly traded on the dark web cheaply.
ZDNet, a security-minded business technology news website also reviewed Saini’s video documentation of the bug and also went further ahead to carry out their independent test. ZDNet verified the bug does exist although with mixed results. That’s the weakness could be exploited at times and in some cases, the weakness can’t be exploited. To prevent exploitation by attackers, ZDNet refused to reveal the specifications of the bug. Melanie Ensign, Uber’s spokesperson, stated the bug wasn’t a bypass and was likely caused by the ongoing testing by the security team to evaluate the effectiveness of different techniques of securing accounts.
Ensign also went further and said, “the company uses machine learning to enforce risk-based authentication by default for all rider and driver accounts.” Saini’s response countered this statement, “I do not understand how logging in to my account from my IP address, operating system, and browser can be deemed suspicious. My point is that this is a bypass of the 2FA challenge Uber employs when certain requests are ‘deemed suspicious,’ regardless of the fact.” To address the above statement, the spokesperson said it’s the tests that are causing the inconsistency and the existence o the issue. Uber’s bug bounty program manager said the company had received several reports on the issue before. But Saini affirmatively said if other researchers had also found the bug, then malicious actors have already found it.