Network Security, Vulnerability Management

Uber says bug that allows 2fa bypass ‘not particularly severe’

In cybersecurity terms, Uber is having a rough ride, mostly of its own doing. 

Just two months after the car-sharing service admitted to covering up a breach that exposed sensitive information on 57 million customers and drivers, a security researcher has discovered flaw that would let hackers bypass two-factor authentication (2fa) and which has gone unpatched by the company, which said it wasn't “a particularly severe report.”

Uber Security Engineering Manager Rob Fletcher also called the bug “likely expected behavior” in response to security researcher Karan Saini, who reported the flaw to HackerOne, administrator of the company's bug bounty program, only to have it rebuffed and marked as “informative,” according to a report by ZDNet.

“In no way is easily bypassing two-factor authentication ever considered 'likely expected behavior,' and this is as severe as a vulnerability can get,” said John Gunn, CMO at VASCO Data Security. “If they don't consider a failure to fundamental security protections as being severe, you have to wonder what they would consider severe. Two factor authentication is extremely secure if implemented properly, which is remarkably easy to do.”

The bug allows a hacker to log into an account using an email address and password, then bypass 2fa by entering a random code when prompted.

While Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team (VERT) called 2fa to be “an important security control,” he interpret “Uber's response to mean that they are exploring different signals they can use to decide when it is necessary to verify an SMS code and that users should not expect to receive the 2FA code on each login.  Without knowing specific details of the technique, it is impossible to validate whether there is a legitimate bug.”

Young pointed out, “this is not the first gripe against Uber's security team either, as another researcher, Gregory Perry, recently published a blog post titled, ‘How I Got Paid $0 From the Uber Security Bug Bounty,' in which he has harsh criticism toward Uber's security team for perceived ineptitudes,” but he noted that “details from those reports are public, however, and it is my opinion that Uber's response was more or less appropriate within the parameters of their bounty program.”

“Uber's security team also came under fire recently when Reuters published claims that Uber had used their bug bounty program to pay $100,000 of hush money to an individual who had threatened to release Uber customer data.

Noting that Uber is still stinging from criticism over paying $100,000 in “hush money” to keep a hacker from releasing data stolen in the breach that affected 57 million, Young said, “Before researchers or customers lose faith in Uber's commitment to security, I would simply point out that Uber's HackerOne Hacktivity indicates they have paid upwards of $50,000 in bounty payments in just the past 30 days and more than $1.3 million total.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.