Uber security flaw compromised two-factor authentication

Security researcher Karan Saini has revealed a flaw in Uber’s two-factor verification that reportedly rendered it useless.

Saini has been keeping the exact details of the exploit under wraps to prevent abuse, but it revolved around a vulnerability in how Uber authenticates users when they sign in. The net effect was clear: an intruder might have only needed your username and password to sign in, giving them the chance to swipe personal info or misuse services.

Saini characterized Uber’s response as dismissive, although Uber is telling a different story. The ridesharing company initially told him that the issue wasn’t “particularly severe” and was expected, marking it as “informative” — that is, notable but not pressing. When we reached out to Uber, however, it said that it had fixed the flaw (Saini had previously been informed about this) and that it applied the “informative” label because it was already working on a solution.