Researchers Vitor Oliveira, Fábio Pires and Filipe Reis from Portugal-based security firm Integrity recently found a bunch of vulnerabilities in Uber's app, one of which let the hackers see a user's name, full trip path, their driver's name and the license plate and car model, according to Integrity's blog post.
Oliveira confirmed the vulnerabilities in a Twitter direct message and said "now it's all fixed." Uber corroborated this by emailing Mic a link to the Integrity team's blog post, where it detailed that all of the bugs the security researchers found had either been resolved or previously reported.
Uber paid the team a total of $18,000 for spotting four vulnerabilities, Oliveira said.
Here's how it worked: Using one of the several vulnerabilities discovered, the group tested a new functionality which let them "see the last trip from every driver" by only knowing their UUID — which can be obtained by requesting a random driver and canceling the trip after they accept, according to the blog post. It adds:
"In the response of this request, we were able to get the driver name, license plate, last trip UUID, last passenger name, number of passengers, the origin and destination of the trip." From there, they were able to see the Uber's full path.
"For the people who are starting the bug bounty programs, our advice is: never give up or be afraid if it is a big company, just have fun and try to learn as much as possible along the way and in time the profits will come," the blog post read.