“There is no need for a novelty 2FA if it doesn’t actually serve a purpose. Uber has ignored a security bug that can allow an attacker to hack into user accounts by bypassing two-factor authentication because the ride sharing company says the flaw “isn’t a particularly severe” issue.
Two-factor authentication (2FA) is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password — which can be be stolen — by sending a code by text message to your phone, for example, which only you would have access to.
More sites than ever are using two-factor, like Amazon, Facebook, and Google, to double-down on security after a spate of breaches in recent years that have exposed billions of passwords to hackers, who can use them to sign and take over accounts. Uber concealed a breach of its system late last year, in which account information on 57 million users was accessed.
Although Uber began testing two-factor authentication on its systems in 2015, the company has yet to widely push the security feature to its users. Many users however are regularly sent two-factor codes in order to log in. These are sent to the phone they use to request a car.
But that two-factor code can be bypassed, making the second layer of security protection effectively useless, said Karan Saini, a New Delhi-based security researcher, who found the bug.
He filed a bug report with HackerOne, which administers Uber’s bug bounty, but his report was quickly rejected. Uber marked the bypass bug report as “informative,” which according to documentation, means it contains “useful information but did not warrant an immediate action or a fix.”
“This isn’t a particularly severe report and is likely expected behavior,” said Rob Fletcher, security engineering manager at Uber, in his correspondence with Saini about the bug report.
Saini reached out to ZDNet when Uber dismissed his report.
“If it’s not a security feature, why even have it?” he told ZDNet. “There is no need for a novelty 2FA if it doesn’t actually serve a purpose.”
The bug works by exploiting a weakness in how Uber authenticates a user when they log in to the platform. The end result is that the user can log in to an account and easily defeat the two-factor prompt, without entering the correct code. That means anyone could log in to your account with just your email address and password, which can be easily obtained if passwords are reused on other sites that have been breached. Uber accounts are regularly traded on the dark web, for as little as a dollar in some cases.
ZDNet reviewed several videos by Saini documenting the bug. We also independently reproduced and verified the bug, albeit with mixed results. In some cases the bug would work, and in others the bug would fail, with nothing obvious to determine why.
Although Uber said this was “expected behavior,” we are not revealing specifics of the bug, in order to prevent malicious use.
Uber spokesperson Melanie Ensign said the bug “is not a bypass,” and is “likely caused by the security team’s ongoing testing to evaluate and refine the effectiveness of different techniques” to secure accounts.
Uber only uses two-factor “when certain requests are deemed suspicious,” and it is “not an account-wide setting used on every device,” Fletcher told Saini in the bug report.
Ensign said the company uses “machine learning to enforce risk-based authentication by default for all rider and driver accounts.” The company uses hundreds of signals — first revealed by Gizmodo in 2016 — to detect potentially suspicious behavior, like unauthorized logins and fraudulent rides.
“I do not understand how logging in to my own account from my own IP address, operating system, and browser can be deemed suspicious,” Saini responded. (It’s worth mentioning that this reporter’s Uber account has always, without fail, prompted for a two-factor code when logging in.)
“My point is that this is a bypass of the 2FA challenge Uber employs when certain requests are ‘deemed suspicious’, regardless of the fact,” said Saini.
When reached, Ensign said: “We’ve been testing different solutions since we received a lot of user complaints about requiring 2FA on [an Uber web address which we are redacting per our decision to not reveal specifics of the bug] when people are trying to report a lost or stolen phone and can’t receive a code on that device.”
“We believe those tests are causing both the existence and inconsistency of this issue,” she said.
Saini recognizes that he is likely not the first to find the two-factor bypass bug.