Hackers bags Uber's $5,000 reward for finding glitch that gave free rides

Uber has rewarded a hacker with a $5,000 (£4,075) bounty after discovering a security loophole in the popular 'taxi' app that made all rides completely free. The bug, which has now been fixed, had been confirmed to work in any country where Uber's ride-sharing service is available.

Anand Prakash, a security researcher from Bangalore, India, submitted the payment-dodging loophole to bug bounty platform HackerOne late last year. Uber then gave Prakash full permission to test the bug in both the US and India and successfully triggered the exploit in both regions.

Prakash claimed that prior to the fix, "attackers could have misused this by taking unlimited free rides from their Uber account."

In a blog post, the researcher noted that it would have been possible for hackers to spoof Uber's billing system by inserting random characters instead of a valid payment method.

"Users can create their account on Uber.com and can start riding," he said. "When a ride is completed a user can either pay cash or charge it to their credit/debit card. But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free."

Uber, which offers up to $10,000 to anyone who can expose major security flaws within its system, fixed the bug on the same day it was reported in August 2016, although the loophole had been kept under wraps until Prakash's blog post on 3 March.

"Uber's bug bounty program works with security researchers all over the world to fix bugs, even when they don't directly impact our users," an Uber spokesperson told TechCrunch. "We appreciate Anand's ongoing contributions and were happy to reward him for an excellent report."

Prakash is highly-rated among the HackerOne community and ranks 14th in Uber's bounty scheme and third for social media giant Twitter. Other tech-related companies that use the service to discover security issues include Snapchat, Slack, Yahoo, Nintendo and Rockstar Games.