Uber has paid US$ 6500 to an Indian security researcher after he discovered a bug in its API requests. According to the official statement, the bug would have allowed attackers to take over a user’s account.
The researcher, named Anand Prakash, stated the bug was an account takeover vulnerability on Uber’s API applications which were occurred due to missing an endpoint in the authorization process.
According to the researcher, the flaw enables hackers to compromise any user’s Uber account by sending the users’ UUID in an API request to hijack accounts. The researcher explained that the flaw also affected its partners and Uber Eats users. Uber fixed the vulnerability on September 9, 2019, after the researcher reported the issue on April 19. The researcher also asked Uber for public disclosure of his discovery.
Recently, another Indian-based security researcher discovered a bug in Instagram’s Account Recovery Process that could have allowed attackers to break into users’ accounts. The Facebook-owned Instagram rewarded the researcher with a bounty of $10,000 for reporting the vulnerability.
The researcher said that he found the vulnerability while investigating how the account recovery process of the photo-sharing application allows the user to regain access to your account when you’ve forgotten the password. According to the researcher, Muthiyah, the Instagram server uses device ID as a unique identifier to validate password reset codes. “When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode,” Muthiyah said in a statement.
The researcher found that the same device ID can be used to request passcodes for multiple Instagram accounts of different users, allowing an attacker to breach multiple accounts with a single device ID.