Uber Pays Security Researcher $10K for Critical Flaw
Page 1 of 1
Uber at its core is not a taxi company, it's a technology service and one of its primary assets is user information. Uber recently closed a high impact flaw in its platform that could have potentially put that user information at risk.
While the vulnerability itself is interesting, so too is the means and method by which the vulnerability was discovered in the first place. Though Uber is a technology company, it didn't discover the flaw on its own, but rather by way of a third party researcher, participating in a bug bounty program.
"Through the endpoint at /rt/users/passwordless-signup it is possible to change the password of any Uber user, given knowledge of their phone number (or by just enumerating phone numbers until one is found that is registered with Uber - not too hard given the number of Uber users)," Hackerone bug report 143717 details.