Uber is no stranger to controversy, as it was revealed at the end of last year the cab firm had covered up a data breach that had affected 57 million users by paying a ransom. Now, it seems the company is passing off a security flaw that allows hacker to bypass two-factor authentication as not “particularly severe.”
Two-factor authentication is a security process in which a user must provide a second lot of details after the initial log in via username and password. This helps to lock down an account and protect it from outside breachers, while eliminating the need to remember thousands of usernames and passwords.
The new bug was identified by security researcher Karan Saini, in which the flaw grants access to anyone with the username and password without needing to pass the two-factor authentication process.
Uber seemed less than enthused about the bug being identified, as it replied to Saini’s post to bug bounty company Hacker One stating that it “did not warrant an immediate action or a fix”. Don’t worry though, the company did find it “informative,” despite doing nothing with said information.
“If it's not a security feature, why even have it? There is no need for a novelty 2FA if it doesn't actually serve a purpose,” Saini said to ZDNet before the publication began putting the bug to the test.
It seems from ZDNet’s results that the bug cannot be exploited all the time, but there’s definitely a window of possibility. This is due to Uber’s machine learning system that discerns whether or not it is a genuine attempt to login before triggering a prompt for two-factor authentication. Saini, however, believes that this bug can indeed be bypassed regardless of the situation.
The real cause for concern is leaving machine learning to deem whether or not something is suspicious, not giving users the option to always enable two-factor authentication and Uber’s nonchalant mannerisms to what is indeed a security flaw. Those running the Uber app need to be secure in their personal online security if they want to continue using it.
KitGuru Says: Machine learning is a complicated process that usually takes time, in which the earlier in the process of learning it is, the more security flaws are posed to users. This seems like a bizarre thing to leave in the hands of something so risky, especially when Uber’s reputation has already spiralled out of control.