Uber has been having a rough time of late, with stiff competition in South East Asia, the lawsuit in the US against Waymo and its ex-CEO’s sexual harassment scandal. Now, the company has managed to find its way into the news once again for the bad reasons: this time it’s because of a security flaw in the system. Discovered by a New Delhi-based security researcher, this loophole could allow an attacker to hack into user accounts bypassing the two-factor authentication feature.
The case was reported by ZDNet, where they said that the 2-factor authentication could easily be circumvented by masking a second layer of security.
Two-factor authentication is a vital part of protecting online accounts that adds a second layer of security on top of your username and password – which can be stolen – by sending a code by text message to your phone which only you would have access to. – security researcher Karan Saini.
The security bug works by exploiting a weakness in how the app authenticates users when they log in. It appears that the system lets the user log in to the account even without entering the correct code.
Although this is a severe issue, Uber begs to differ here. The company said the security bug is not a particularly severe issue. Rob Fletcher, Security Engineering Manager at Uber, said, “This isn’t a particularly severe report and is likely expected behavior.”
It is also worth noting that Uber began testing two-factor authentication on its systems in 2015. However; the company is yet to push the update to its users widely.