Anand Prakash had discovered commuting nirvana.
The Bangalore-based hacker had found a way to take Uber rides for free – indefinitely. Prakash often fiddles around with web applications, and managed to find a flaw in the Uber app. “When a ride is completed a user can either pay cash or charge it to their credit/debit card,” he said. “But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free.”
By simply replacing the “payment_method_id” field within the POST request with gibberish, Prakash discovered that Uber let users not need to pay for their rides. Some people would’ve been tempted to stay put and ride around the city with abandon, but Prakash is one of the good guys – he let Uber know about the vulnerability.
Uber then gave him permission to test the bug in both the US and India, and he again demonstrated that his hack indeed worked, managing to get free rides on both occasions. Uber fixed the bug the same day, and rewarded Prakash with $5000 (Rs. 3.3 lakh) for his efforts.
Uber, like many other companies, runs bug bounty programs where ordinary users can report bugs in its software, and win awards. These awards can range between $1000 and $10,000, depending on the severity of the bug discovered. Prakash is an old hand at bug-hunting – last year, he’d been rewarded $15,000 (nearly Rs. 10 lakh) by Facebook for discovering a bug in its app.
Prakash graduated from Vellore Institute of Technology in 2014 with a degree in Computer Science. He’d been interested in internet security right from college, having interned with the Haryana Police in its Cyber Security team. After graduating, he’d worked with Flipkart for two years as a Security Researcher.
“We appreciate Anand’s ongoing contributions and were happy to reward him for an excellent report,” said an Uber spokesperson. So while Prakash will still continue to pay for Uber rides like the rest of us, he’s at least been compensated for his efforts – and has the satisfaction of possibly saving the world’s most valuable startup millions of dollars.