A Thing
The Green SheetGreen Sheet

Tuesday, January 23, 2018

Critics deride Uber's bug bounty program

Security analysts have slammed Uber for what they deem to be a selective approach to repairing software bugs. The ride-sharing service pays informants a bounty for reporting vulnerabilities, but payouts have been uneven, according to critics.

ZDnet Security Editor Zack Whittaker reported Jan. 21, 2018, that HackerOne, an Internet security firm and bug bounty program administrator, pays bug fixes according to severity levels. Some discoveries are marked "informative," but go unpaid, Whittaker noted. Bug bounty programs are typically offered by software developers and websites, and provide recognition and compensation to individuals who report bugs in their software, particularly those associated with vulnerabilities.

For example, New Delhi security researcher Karan Saini found a flaw in Uber's two-factor authentication that enabled attackers to hack into user accounts, Whittaker wrote. Rob Fletcher, Security Engineering Manager at Uber, called Saini's report "useful," but not warranting an immediate fix. "This isn't a particularly severe report and is likely expected behavior," Fletcher stated in response to Saini's report.

Analysts suggested Uber's uneven compensation may demotivate hackers from reporting flaws in the mobile app. John Gunn, Chief Marketing Officer at Vasco Data Security, called two-factor authentication an extremely severe matter. The security community would never consider the ability to easily bypass two-factor authentication as a "likely expected behavior"; this is as severe as a vulnerability can get, he said.

"If [Uber and HackerOne do not] consider a failure to fundamental security protections as being severe, you have to wonder what they would consider severe," Gunn said. "Two-factor authentication is extremely secure, if implemented properly, which is remarkably easy to do."

Bounty hunters unite

While Uber fixed Saini's reported flaw in its two-factor authentication, the company has been wrestling with similar issues since 2015, Whittaker said. "Two-factor authentication (2FA) is a vital part of protecting online accounts," he wrote. "It adds a second layer of security on top of your username and password ‒ which can be stolen ‒ by sending a code by text message to your phone, for example, which only you would have access to."

Uber only implements two-factor authentication "when certain requests are deemed suspicious," and it is "not an account-wide setting used on every device," Fletcher noted. Whittaker and other analysts are urging Uber to push the security feature to all users, not just a select few.

Lindsey Glovin, Bug Bounty Program Manager at Uber said the company received several reports of the 2FA bypass prior to Saini's report. Saini noted that if the 2FA bug is easy to find and other security researchers have already reported it, there's a strong probability malicious actors may have also found it. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing