Update (Oct 2, 2015): Uber has finally started verifying the accounts using SMS before any ride.
Update (Sep 15, 2015): Got a call from Uber team. They are working to fix this bug.
A month ago I was introduced to Uber application by one of my friends. He booked a taxi for us as we had a meeting in Noida. I liked the application’s interface and simplicity. The overall experience of our ride was really good. I decided to install it on my phone, as of add-on a free ride worth 400₹ was looking lucrative.
I Installed the application and linked it to my PayTm Wallet. Entering the coupon code gave me a free ride upto 400₹. I booked a cab from my office to home. The experience was good until i found that coupon code wasn’t applied to that ride. It made my Uber account balance to go in negative. Surprisingly, Uber was unable to deduct balance from my PayTm wallet. It could be a temporary glitch. I mailed Uber support and told them about this issue. They were unable to resolve it and I finally decided to flush the account and create a new one.
Bypassing Sign-up Limit
I tried creating a new account on my phone but the app immediately flashed: “We are sorry but this device has reached the maximum signup limit”. I bypassed this by going to https://get.uber.com/sign-up/ and signing up there. As Uber didn’t allow me to use existing PayTm wallet account, I linked this new account to my credit card. I noticed something interested in Uber’s Sign-up mail that i am going to share later. So, account creation was successful. I picked my phone, Went to settings tab and cleared application data on my android phone to put new account information. I used the coupon again and this time coupon worked well with my ride.
After this incident i was sure that Uber certainly has some bugs in it’s application. I decided to explore the application a bit more. I flushed the new account after first ride and jumped over to Uber Sign up page. I had already used my two phone numbers and i had no other mobile number. I selected PayTm wallet as payment method and put some random mobile number. Remember the interesting thing about sign-up mail? It’s the link to confirm your Uber account.
I clicked that link and my account was confirmed. I cleared the app data again and pushed the new account details. I was now able to use the Uber account that was linked with someone’s else PayTm Wallet. I was able to book rides(but i didn’t). I was more interested in checking the Uber’s security.
I knew that hacking Uber wouldn’t be a cake-walk. After creating and flushing 2-3 accounts, Uber started banning my account as soon as i login. I stumbled around and found that Uber app asks around 16+ permissions and use that data to authenticate users. The primary motive for Uber to do this is to prevent people from creating multiple accounts.
Since i am using a rooted android phone, I installed Xposed Framework and a nifty module called XPrivacy. For those who don’t know, Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs and XPrivacy is a Xposed Framework’s module that can restrict the categories of data an application can access. Simply said, I can now control what Uber application can access. I studied what permissions Uber is asking for and restricted them.
At this point of time, I also generated a virtual credit card to experiment if they have a security mechanism for credit card verification. So everything was setup, i was ready with VCC and Fake device data. I tried signing up from my phone and YES! i was able to sign-up. Not only i bypassed the one sign up per device limit,but i was also able to bypass the payment method and use a credit card that doesn’t exist.
In nutshell, Even Uber is the biggest taxi company in world and they have several mechanisms to detect fake sign-ups there is lot more to be done to secure the application.
Before writing this post, I tried contacting Uber Support and told them that there is a bug in their application that can exploited for free rides. Uber support replied that they will look into this matter but they never asked for any details. I even tried calling Gagan Bhatia(GM, Uber Delhi) but my phone went unaswered. I hope Uber would take an action and fix it’s application ASAP!