UBER HAS SHRUGGED OFF a bug that could allow hackers to bypass two-factor authentication (2FA) protecting user accounts because the flaw “isn’t particularly severe”.
Security researcher Karan Saini found the bug in Uber’s two-factor authentication process, which has yet to be rolled out widely to Uber users. The flaw relates to the way an account is authenticated when users log in, meaning hackers with someone’s username and password can drift pass the 2FA with ease.
Given how people tend to reuse usernames and passwords for various accounts, after all there’s only so much the average human can memorise, 2FA offers an extra barrier of security to keep hackers and cybercriminals out.
But Uber doesn’t seem to be too fussed about the flaw, as when Saini posted the bug to the Hacker One site which handles administration for Uber’s bug bounty scheme, the controversy-ridden ride-sharing firm noted the bug was “informative” but “did not warrant an immediate action or a fix”.
A disgruntled Saini got in touch with ZDNet to throw some mild shade at Uber.
“If it’s not a security feature, why even have it?” he said. “There is no need for a novelty 2FA if it doesn’t actually serve a purpose.”
ZDNet‘s boffins put the bug to the test and found that sometimes it was able to bypass the 2FA and other times it couldn’t.
Uber noted that it uses a suite of techniques including machine learning to ascertain when an account is being illegitimately accessed to trigger 2FA, rather than use the security feature for every login attempt.
Saini wasn’t particularity convinced and noted that 2FA can be bypassed regardless of how the prompt is triggered.
“My point is that this is a bypass of the 2FA challenge Uber employs when certain requests are ‘deemed suspicious’, regardless of the fact,” he siad.
Uber told ZDNet that the bug was not a bypass but likely the result of security teams ongoing testing of various security systems for the app.
“We’ve been testing different solutions since we received a lot of user complaints about requiring 2FA on [an Uber web address which we are redacting per our decision to not reveal specifics of the bug] when people are trying to report a lost or stolen phone and can’t receive a code on that device, Uber spokesperson Melanie Ensign told ZDNet.
“We believe those tests are causing both the existence and inconsistency of this issue.”
So far it looks like Uber appears to be brushing off the bug as part and parcel of its attempts to shore up its app’s security. And while bypassing 2FA is a problem, a hacker first needs to have the right username and password to get access to an Uber account.
So if you’re confident in your personal online security and are an Uber user, there’s probably no need for major concern right away.
But Uber’s seemingly blasé attitude to the security flaw isn’t exactly inspiring and doesn’t help the firm’s rather rocky reputation. µ
Source : Inquirer