Latest in Gear

Image credit:

Uber security flaw compromised two-factor authentication

It isn't much of a security measure if there's a workaround.
Jon Fingas, @jonfingas
January 22, 2018
Share
Tweet
Share

Sponsored Links

Jaap Arriens/NurPhoto via Getty Images

Two-factor authentication only works if it's strictly enforced in software, and it sounds like Uber might have fallen short of that goal for a while. In a chat with ZDNet, security researcher Karan Saini has revealed a flaw in Uber's two-factor verification that reportedly rendered it useless. Saini has been keeping the exact details of the exploit under wraps to prevent abuse, but it revolved around a vulnerability in how Uber authenticates users when they sign in. The net effect was clear: an intruder might have only needed your username and password to sign in, giving them the chance to swipe personal info or misuse services.

Saini characterized Uber's response as dismissive, although Uber is telling a different story. The ridesharing company initially told him that the issue wasn't "particularly severe" and was expected, marking it as "informative" -- that is, notable but not pressing. When we reached out to Uber, however, it said that it had fixed the flaw (Saini had previously been informed about this) and that it applied the "informative" label because it was already working on a solution.

The odds are that your data is safe as a result. All the same, this illustrates the fragility of two-factor security. It's much better than a basic sign-in, but it can be defeated in the right circumstances. You still need to keep an eye on your account activity in case intruders are particularly determined to hijack your account.

Update: Saini disputed Uber's claim that it notified him about the fix, and said that a solution only showed up about an hour after ZDNet's piece.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Jabra's ANC update for the Elite 75t earbuds is now available

Jabra's ANC update for the Elite 75t earbuds is now available

View
NASA shares first images from OSIRIS-REx's touchdown on Bennu

NASA shares first images from OSIRIS-REx's touchdown on Bennu

View
Hummer EV 'supertruck' has a UI built on Unreal Engine and runs Android

Hummer EV 'supertruck' has a UI built on Unreal Engine and runs Android

View
Apple iPad Air (2020) review: Who needs the iPad Pro?

Apple iPad Air (2020) review: Who needs the iPad Pro?

View
The Morning After: 2020 iPad Air review, and RIP to Quibi

The Morning After: 2020 iPad Air review, and RIP to Quibi

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr