An anonymous hacker discovered a method for riding Uber for free which was posted on an online security community site.
Uber Flaw Allows Free Rides
An anonymous hacker has revealed how ordinary users with some technical help can ride Uber for free. This is possible thanks to a flaw that is implemented in the system which gives new users credit for using the service when they first register. The hacker investigated how this program works and took advantage of the perceived flaws.
The Uber mobile application uses the IMEI (International Mobile Equipment Identity) to identify each device registered on the service. However it appears that it can easily be changed or spoofed by device owners. By posing as a new user with a newly acquired device the company grants the hacker new credit. The anonymous user has stated that for this operation to be made the following tools are needed:
A Rooted Device – All used devices need to be rooted to run the designated tools.
Xposed Framework – This is a framework for modules that allow system and application changes without any APK modification.
CardGen – Used to generate payment card details.
IMEI Changer – Used to change the IMEI number of the exposed device.
The hacker roots the designated device and uses the IMEI changer to modify the exposed value. According to specifications the last number is a check digit which should be checked for validity. However it appears that Uber has not implemented such a precaution.
The next step is to clear the Uber apps data cache from the Android apps settings page and create a new account. Using the Cardgen application the hacker has created a counterfeit set of payment card credentials which contain all the necessary form data – year and month of validity and CVV (CW) code. Surprisingly the mobile app does not validate the card upon registration.
There are conflicting reports whether other related methods have been employed by other hackers. We anticipate that such bugs are going to be quickly mitigated by the service if they have not been fixed already. The root of these problems rely on the algorithm used by Uber to determine if the designated user is new to the system. The use of IMEI is one of the oldest methods that are used by many systems and services for initial authentication.