Security Flaw Ignored By Uber That Renders “

By   ISBuzz Team
Writer , Information Security Buzz | Jan 23, 2018 01:00 pm PST

It has been revealed that Uber ignored a security bug that could give potential hackers access into user accounts by bypassing two-factor authentication, with the taxi giant stating the flaw “isn’t a particularly severe” problem. Javvad Malik, Security Advocate at AlienVault commented below.

Javvad Malik, Security Advocate at AlienVault: 

Javvad Malik“Bug bounties are great for identifying flaws that may have slipped through regular testing and secure design. However, they shouldn’t be used as an alternative to rigorous testing.

It also illustrates one of the oft-mentioned challenges mentioned by researchers in that their findings are either not taken seriously, or are dismissed as duplicates without any real proof. For this reason, more transparency by companies that run bug bounties is needed.

Digging a bit into the technicalities, it’s important to understand that SMS isn’t necessarily true two-factor, rather it is two-step verification.

While the phone is “something you have” the phone isn’t integral to the second factor. If the SIM card was put in a different device, or the number was ported, then it is possible to authenticate without having that device. The same is true when email is used as a second ‘factor’.

This is particularly important to understand in the context of apps that reside almost exclusively on the phone. The struggle for many companies is that the app, email, and SMS all reside on the same device, a small device that is easy to steal or clone. So it is necessary that additional controls are deployed, akin to anti-fraud controls which would evaluate the likelihood that a booking is being made by a legitimate user. Taking into consideration factors like usual geography, a new device registering, the types of trips etc.

It’s not a particularly easy problem to solve with one change. Rather security needs to be sprinkled throughout the process – as well as having secure methods by which users can report lost or stolen devices. In the whole ecosystem, we’ll likely see two- step authentication become the accepted norm in the long run – with sensitive companies moving towards two-factor.”

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x