Uber has fixed a bug that allowed access to the secret developer tokens of apps that integrated with the ridesharing service, according to the security researchers who discovered the flaw.
In a blog post, Anand Prakash and Manisha Sangwan explained that a vulnerable developer endpoint on Uber’s back-end systems — since locked down — was mistakenly spitting back client secrets and server tokens for apps authorized by the Uber account owner.
Client secrets and server tokens are considered highly sensitive bits of information for developers, as they allow apps to communicate with Uber’s servers. For its part, Uber warns developers to “never share” the keys with anyone.
Prakash, founder of Bangalore-based AppSecure, told TechCrunch that the bug was “very easy” to exploit, and could have allowed an attacker to obtain trip receipts and invoices. But he didn’t test how far the access could have gone as he immediately reported the bug to Uber.
Uber took a month to fix the bug, according to the disclosure timeline, and was considered serious enough to email developers last week warning of the possible exposure.
“At this time, we have no indication that the issue was exploited, but suggest reviewing your application’s practices out of an abundance of caution,” Uber’s email to developers said. “We have mitigated the issue by restricting the information returned to the name and id of the authorized applications.”
Uber did not respond to a request for comment. If that changes, we’ll update.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Prakash was paid $5,000 in Uber’s bug bounty for reporting the bug, and currently ranks in the top five submitters on Uber’s bug bounty.
The security researcher is no stranger to Uber’s bug bounty. Two years ago, he found and successfully exploited a bug that allowed him to receive free trips in both the U.S. and his native India.
