Uber says security bug that let hackers bypass two-factor authentication wasn't 'particularly severe'

A security researcher uncovered a bug in Uber's two-factor authentication system that could have potentially allowed hackers to bypass it and hack into users' accounts. However, the ride-hailing company initially said the issue was "not particularly severe".

Earlier this month, New Delhi-based analyst Karan Saini filed a bug report with HackerOne, which manages Uber's bug bounty programme. However, Saini told ZDNet that his report was rejected.

Uber uses two-factor authentication by sending a code via text message to the user's device to verify their identity.

According to Saini, the flaw is related to the way an account is authenticated when users attempt to log in. The bug could potentially allow a malicious hacker to sign into a person's account using their email address and corresponding password and bypass the 2FA system without having to plug in a security code.

"From there, the attacker can look at the account's past trips and even make new trips using any stored payment methods," Saini told IBTimes UK via direct message on Twitter.

Saini said Uber marked his bug report as "informative", which means it contains "useful information but did warrant an immediate action or fix".

In correspondence with Saini regarding the report, Uber Security Engineering Manager Rob Fletcher reportedly wrote: "This isn't a particularly severe report and is likely expected behavior." He also told Saini that Uber currently only uses two-factor authentication "when certain requests are deemed suspicious" and is "not an account-wide setting used on every device".

Lindsey Glovin, Uber's bug bounty program manager, also responded to Saini's bug report saying the company "received several reports" on the issue over the past few months and called it a "known temporary tradeoff while we continue to test alternatives."

"If it's not a security feature, why even have it?" Saini told ZDNet. "There is no need for a novelty 2FA if it doesn't actually serve a purpose." He added that there is "no doubt" that threat actors have possibly uncovered the flaw since it is "that easy to find".

In recent years, Uber credentials have been a popular commodity on the dark web and have been sold for as little as $1 (£0.72) per stolen username and password at times.

The report also comes after Uber faces criticism over covering up a massive 2016 data breach for over a year and paying hackers a ransom of $100,000 to delete the stolen data and hush up the attack. The breach affected about 57 million users and drivers' data across the globe, including around 2.7 million people in the UK.

However, Uber said the bug reported by Saini was "not a bypass" and was "likely caused by the security team's ongoing testing to evaluate and refine the effectiveness of different techniques" to secure user accounts.

Uber spokesperson Melanie Ensign told ZDNet: "We've been testing different solutions since we received a lot of user complaints about requiring 2FA on [an Uber web address which we are redacting per our decision to not reveal specifics of the bug] when people are trying to report a lost or stolen phone and can't receive a code on that device."

The company later said it fixed the security flaw a day after ZDNet's report. However, Saini questioned the timing of the fix.

"How come, Uber, who knew about this issue for the past few months and allegedly had also been working on a 'long-term solution' for it, fixed it one hour after the ZDNet report went live?" Saini said. "Without complete transparency there can be no trust based relationships between organizations that rely on crowdsourced vulnerabilities and the people who find those vulnerabilities."

IBTimes UK has reached out to Uber for further comment.