No One Looks Good in Uber's Bug Bounty Fight
This weekend, a security consultant detailed what he believed were serious vulnerabilities in
"This sounds like really bad security on Uber's part," Aaron Parecki, author of OAuth 2.0 Simplified and consultant on the protocol, told Gizmodo over email. "OAuth recommends that access token lifetime is very short, only as long as necessary depending on the risk associated with the token leaking. Examples given are minutes to hours." He further commented that an extension for handling these issues was published back in 2013.
Naturally, the perception that a distrusted company stiffed a well-meaning researcher out of a couple hundred bucks sparked a firestorm on Twitter and hacker-friendly forums . If accurate, this wouldn't be the first or even close to the highest-profile example of Uber failing to protect user data. Hackers exposed the data of 57 million users back in 2016, which the company only admitted earlier this month.
With every reason to distrust Uber, a number of security researchers stood with the company's handling of this incident, however, citing the non-critical nature of the reported bugs, the likeliness that such bugs truly were known to Uber prior to these reports, and most of all, Perry's conduct in being rebuffed.
to Perry's reports on disclosure platform
HackerOne's founder commented on this exchange earlier today on Twitter, stating that "this community leaves no tolerance for personal harassment. Brilliant Jerks are invited to apply their talents elsewhere."
Uber may have handled this dustup responsibly, but it remains a company with a legacy of less-than-admirable business practices that have engendered serious distrust from the public. Perry, on the other hand, is just a garden-variety jerk. Still, the uproar caused by Perry's post undermines the utility of bug bounty programs-the preferable alternative to exploits being sold to malicious parties instead of the companies (and customers) they endanger.