Bug Allows Attackers to Bypass Uber’s Two-Factor Authentication System
In November 2017, ridesharing app giant Uber was mired in controversy when it was revealed that the information of 57 million drivers and riders were exposed on the internet. In another security-related incident, security researcher Karan Saini discovered a bug that allows an attacker to bypass the Uber app's two-factor authentication (2FA) feature.
The company started experimenting with 2FA back in 2015, as part of its push to move beyond basic credentials such as passwords and email authentication. However, this feature could be exploited by an attacker due to the way Uber authenticates users when they log into the app. Details from Saini revealed that individuals could log into an account as long as they have the email address and password. They can then bypass the 2FA protection by switching to Uber's "help" subdomain in the same browser session, after which the user can enter the same credentials used earlier to log in.
Uber, which already patched the bug as of the time of publication, mentioned that it could have resulted from the company security team’s efforts to evaluate the effectivity of different 2FA techniques. The company also pointed out that the 2FA feature is not a standard setting for every device, but rather used when deemed appropriate—that is, when suspicious activity is detected.
The importance of two-factor authentication
At a time when data breaches and information theft are becoming much more common incidents, both organizations and users should be looking into moving beyond the traditional single layer of credential authentication and consider setting up two-factor authentication. For companies, this means integrating 2FA security into their systems, while for individuals, this means actually using those options, if it is not set to default.
2FA is not a perfect system—as seen in this example. In addition, cybercriminals can also use techniques that involve phishing and malware to bypass this security layer. However, more security is always better than less, and the additional steps required for 2FA is better than a single layer of security. It doesn’t necessarily need to be complicated either, as most 2FA security involves either SMS messages or more secure app-based 2FA security.
Organizations, especially those that process and store significant amounts of customer data, should prioritize adding layers of security to their systems. 2FA is an easily implementable method of additional security that does not require too much complicated steps for both the company and its users.
Learn more about how to set up two-factor authentication (2FA) for online accounts.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.