Meltdown-Spectre flaws: We've found new attack variants, say researchers

After ignoring for months, Uber fixes two-factor bypass bug after all

"There is no need for a novelty 2FA if it doesn't actually serve a purpose."

(Image: file photo)

Uber has fixed a security bug that could've allowed an attacker to hack into user accounts by bypassing two-factor authentication, after the ride-sharing company initially said the flaw wasn't a "particularly severe" issue.

The company quietly issued a fix shortly after ZDNet first revealed the bug on Sunday.

Uber only confirmed the fix in an email Monday after we followed up on earlier correspondence, but had not informed the security researcher of the fix.

The ride-sharing giant has been dabbling with two-factor authentication on its systems since 2015.

Two-factor authentication (2FA) is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password -- which can be stolen -- by sending a code by text message to your phone, for example, which only you would have access to.

The company has yet to widely push the security feature to its users. Many users however are regularly sent two-factor codes in order to log in. These are sent to the phone they use to request a car.

But that two-factor code can be bypassed, making the second layer of security protection effectively useless, said Karan Saini, a New Delhi-based security researcher, who found the bug.

He filed a bug report earlier this month with HackerOne, which administers Uber's bug bounty, but his report was quickly rejected. Uber marked the bypass bug report as "informative", which according to documentation means it contains "useful information but did not warrant an immediate action or a fix".

"This isn't a particularly severe report and is likely expected behavior," said Rob Fletcher, security engineering manager at Uber, at the time in his correspondence with Saini about the bug report.

Saini reached out to ZDNet when Uber dismissed his findings.

Uber concealed hack of 57 million accounts for more than a year

The company's former chief security officer kept the hack a secret.

"If it's not a security feature, why even have it?" he told ZDNet. "There is no need for a novelty 2FA if it doesn't actually serve a purpose."

ZDNet initially refrained from revealing specifics of the bug in order to prevent malicious use. Now the issue has been fixed, the bug allowed anyone to exploit how Uber authenticates a user when they log in to the platform.

Saini explained that anyone could log in with an email address and password, and when presented with a two-factor prompt, switch to Uber's "help" subdomain in the same browser session, enter the same email address and password, and log in without ever entering a two-factor code.

That means an attacker could log in to your account with just your email address and password, which can be easily obtained if passwords are reused on other sites that have been breached. Uber accounts are regularly traded on the dark web, for as little as a dollar in some cases.

ZDNet reviewed several videos by Saini documenting the bug. We also independently reproduced and verified the bug, albeit with mixed results. In some cases the bug would work, and in others the bug would fail, with nothing obvious to determine why.

When reached prior to publication, Uber spokesperson Melanie Ensign said the bug "is not a bypass". During the time the bug was still present, she said it was "likely caused by the security team's ongoing testing to evaluate and refine the effectiveness of different techniques" to secure accounts.

Uber, for now, only uses two-factor "when certain requests are deemed suspicious", and it is "not an account-wide setting used on every device", Fletcher told Saini in the bug report.

Ensign explained the company uses "machine learning to enforce risk-based authentication by default for all rider and driver accounts". The company uses hundreds of signals -- first revealed by Gizmodo in 2016 -- to detect potentially suspicious behavior, like unauthorized logins and fraudulent rides.

But that was met with skepticism by Saini.

"I do not understand how logging in to my own account from my own IP address, operating system, and browser can be deemed suspicious," Saini responded. (It's worth mentioning that this reporter's Uber account has always, without fail, prompted for a two-factor code when logging in.)

He said that the bug was still "a bypass of the 2FA challenge", even when Uber employs measures against suspicious logins.

Ensign said the company had been "testing different solutions since we received a lot of user complaints about requiring 2FA" on Uber's "help" section, which customers often use "to report a lost or stolen phone and can't receive a code on that device".

Saini said he likely wasn't the first to find the two-factor bypass bug.

Lindsey Glovin, Uber's bug bounty program manager, who also responded to Saini's bug report, said the company "received several reports" on the bypass bug before.

If other security researchers found the bug, Saini said "there's no doubt" that malicious actors may have also found it, "since the bug is that easy to find".

Updated on January 22: Uber said it has fixed the two-factor bypass bug after this story first published, after ignoring multiple reports for months.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Visit ZDNET