Uber fixed a serious security bug recently that was discovered by an Indian cybersecurity researcher named Anand Prakash. The ride-hailing and ride-sharing service paid out a bounty of $6,500 to Anand for discovering the bug.

Uber's logo is displayed on a mobile phone. Image: Reuters.

As reported by Inc42, the hacking bug would have allowed hackers to take over anyone’s Uber account. This included the accounts of partners and Uber Eats users as well. Under the responsible disclosure policy, Anand was given permission by Uber to share the details of the bug.

The vulnerability was present in the API request where Anand’s team was able to enumerate other Uber accounts with either the user’s email address or phone number. APIs are used to authenticate two services so that one works using the data from one. For example, Uber will send an API request using access tokens to Google Maps to work with the Uber app. The authorisation wasn’t present on one endpoint that led to a leaked access token. This could have been used to gain control over any account.

According to a statement from Uber to Inc42, this bug was fixed quickly through the company’s bug bounty program. It also said that over $2 million was paid to more than 600 researchers around the world, including Indian researchers.