A critical vulnerability in an Uber app has discovered by an independent security researcher from Egypt, that allows an attacker to brute force the invite URL and grab unlimited promo codes up to $25,000 for unlimited free rides.
The egyptian hacker named Mohamed M.Fouad found this vulnerability in the URL get.uber.com/invite/, which is used to sent an invitation to any other user, which by brute forcing the system repeatedly and grabbing other people’s free promo codes. This Uber promo code hack lets a person earn up to $25,000 for more than one free ride.
In his blog, Mohamed writes that he found lack of protection against any type of brute force attacks. This gave him a chance to get different promo codes with “high amounts in dollar currency between 5,000$ to 25,000$”.
In his blog, Mohamed says that he found a lack of protection against any type of security as “brute force attacks”. The uber promo code hack gave him a chance to get different promo codes amounting to $5,000 – $25,000.
Those high value promo codes might be related to some other vehicles like helicopter other than cars.
It might not be stated that Uber promo codes are of two types — public invite promo codes and hidden/private “Emergency Ride” codes.
Public codes are generally meant for new users, that this Uber promo code hack lets an existing user use them to get free rides, and by coincidence an attacker can get a valid Emergency Ride code that is supposed to be hidden.
As not expected, Uber refused to acknowledge the flaw finding related to Uber promo code hack and called it out of the scope. Uber considers Mohamed’s repeated reports as fraud and sends the request to the fraud team.
The Uber promo code hack continuously exists in the Uber app and might be a great risk to all the users.