It's exactly two months after Uber admitted that it had covered up a breach that left over 57 million users sensitive data exposed. This time around, the largest taxi company without a single car is again taking its customers for a ride, by ignoring a bug that allows attacker to bypass Two Factor Authentication (2FA). Not only Uber refuse to patch the bug, they claimed the bug wasn't "particularly severe".
Rob Fletcher, who is the Security Engineering Manager at Uber, said the bug is an expected behaviour. This was in response to the security researcher Karan Saini, who reported the bug. The bug was reported to the company bug bounty program administrator. The report of the bug was marked as informative and it's been rebuffed.
“In no way is easily bypassing two-factor authentication ever considered 'likely expected behavior,' and this is as severe as a vulnerability can get,” said John Gunn, CMO at VASCO Data Security.
“If they don't consider a failure to fundamental security protections as being severe, you have to wonder what they would consider severe. Two factor authentication is extremely secure if implemented properly, which is remarkably easy to do.” He added.
An attacker can easily bypass 2FA once login with email and password by entering a random numbers as 2FA code, which the system accept and authenticate.
Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team (VERT) called 2fa to be “an important security control.”
He interpreted “Uber's response to mean that they are exploring different signals they can use to decide when it is necessary to verify an SMS code and that users should not expect to receive the 2FA code on each login. Without knowing specific details of the technique, it is impossible to validate whether there is a legitimate bug.”
“This is not the first gripe against Uber's security team either, as another researcher, Gregory Perry, recently published a blog post titled, ‘How I Got Paid $0 From the Uber Security Bug Bounty,' in which he has harsh criticism toward Uber's security team for perceived ineptitudes,”
He also noted that; “Details from those reports are public, however, and it is my opinion that Uber's response was more or less appropriate within the parameters of their bounty program.”
“Uber's security team also came under fire recently when Reuters published claims that Uber had used their bug bounty program to pay $100,000 of hush money to an individual who had threatened to release Uber customer data.
Noting that Uber is still stinging from criticism over paying $100,000 in “hush money” to keep a hacker from releasing data stolen in the breach that affected 57 million, Young said, “Before researchers or customers lose faith in Uber's commitment to security, I would simply point out that Uber's HackerOne Hacktivity indicates they have paid upwards of $50,000 in bounty payments in just the past 30 days and more than $1.3 million total.”