Uber says bug that allows 2fa bypass 'not particularly severe'
Uber says bug that allows 2fa bypass 'not particularly severe'

In cyber-security terms, Uber is having a rough ride, mostly of its own doing. 

Just two months after the car-sharing service admitted to covering up a breach that exposed sensitive information on 57 million customers and drivers, a security researcher has discovered a flaw that would let hackers bypass two-factor authentication (2fa) and which has gone unpatched by the company, which said it wasn't “a particularly severe report.”

Uber security engineering manager Rob Fletcher also called the bug “likely expected behaviour” in response to security researcher Karan Saini, who reported the flaw to HackerOne, administrator of the company's bug bounty programme, only to have it rebuffed and marked as “informative,” according to a report by ZDNet.

“In no way is easily bypassing two-factor authentication ever considered 'likely expected behaviour,' and this is as severe as a vulnerability can get,” said John Gunn, CMO at VASCO Data Security. “If they don't consider a failure to fundamental security protections as being severe, you have to wonder what they would consider severe. Two factor authentication is extremely secure if implemented properly, which is remarkably easy to do.”

The bug allows a hacker to log into an account using an email address and password, then bypass 2fa by entering a random code when prompted.

While Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team (VERT) called 2fa to be “an important security control,” he interpret “Uber's response to mean that they are exploring different signals they can use to decide when it is necessary to verify an SMS code and that users should not expect to receive the 2FA code on each login.  Without knowing specific details of the technique, it is impossible to validate whether there is a legitimate bug.”

Young pointed out, “this is not the first gripe against Uber's security team either, as another researcher, Gregory Perry, recently published a blog post titled, ‘How I Got Paid U S$0 From the Uber Security Bug Bounty,' in which he has harsh criticism toward Uber's security team for perceived ineptitudes,” but he noted that “details from those reports are public, however, and it is my opinion that Uber's response was more or less appropriate within the parameters of their bounty programme.”

Uber's security team also came under fire recently when Reuters published claims that Uber had used their bug bounty programme to pay US$100,000 (£71,000)  of hush money to an individual who had threatened to release Uber customer data. Young said, “Before researchers or customers lose faith in Uber's commitment to security, I would simply point out that Uber's HackerOne Hacktivity indicates they have paid upwards of US$ 50,000 (£35,748) in bounty payments in just the past 30 days and more than US$ 1.3 million (£0.92 million) total.”