Uber dismissive about security flaw that lets hackers bypass its 2FA

Uber has no plans to fix a critical security flaw in its two-factor authentication (2FA) protocol reported by an IT security researcher.

An Indian IT security researcher Karan Saini has discovered a critical security flaw in the two-factor authentication protocol used by the ride-hailing giant Uber to protect user accounts from hijacking and prevent their data from hackers.

The flaw, on the other hand, allows attackers to bypass 2FA that could apparently lead them to perform a number of malicious acts including hacking a targeted account, change its username and password and book expensive rides etc.

Simply put, 2FA is an extra layer of security that is known as “multi-factor authentication” that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token or a code.

Uber Not Serious About Fixing The Bug

In Uber’s case, Siani reported his findings to Uber’s bug bounty program on HackerOne, who acknowledged that there is indeed a bug in its two-factor authentication but at the same time the company downplayed the severity of it and stated that his findings were informative but “this report contained useful information but did not warrant an immediate action or a fix.”

Uber uses two-factor authentication in case of suspicious login activity and sends the second code to the user’s device in order to verify their identity. Uber has been testing the 2FA feature since 2015 however, Siani’s findings highlighted how a hacker can bypass 2FA security without even entering the correct code.

According to a statement to ZDNet, Uber spokesperson Melanie Ensign said that the bug was not a bypass but could be caused by ongoing security testing the company is conducting on the app.

To read the original article:

https://www.hackread.com/uber-dismissive-about-flaw-that-lets-attackers-bypass-its-2fa/

 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *