Uber just gave me access to someone else’s Paytm wallet!

I have been using the cab booking applications for a while now & the referral scheme definitely seems to have grown on me. So much so that, even my mother who hardly uses her phone has them installed. So believe me when I say, I really like the convenience & have no prejudice against either of the popular two in my country — Uber or Ola.

Welcome mail from Uber

As most others, I too, often overlook the random bugs that occur in these apps. However this recent incident has made me wonder whether or not to make it a part of “essentials” & blindly trusting it with my personal/card details. So here is how it goes…

It started with another welcome mail, a few days back:

Welcome again, an year later.

And immediately after, my profile details get updated. I’m being addressed as ‘Vaishnavi’ & my mobile number has been updated. I do get an alert of the updated number in my phone as well.

So I visit their site, make the changes, including a new password & shoot a mail to their support. Then I check the app to see the changes… but boy, was I in for a surprise.

The app now reflected me cruising around Coimbatore (I live in Gurgaon), my trip history showed three travels I never took (while my records lost), a new referral link, and of course, my updated profile details.

I found the bug initially funny, that I’m looking at ‘Vaishnavi’ booking a trip, moving around. Next step was to check what mashup had been done with my payment modes. This is where I really hoped, that their system might have detected two people logged in or at least some sort of uncommon behaviour, generating a warning & temporarily blocking all payment modes.

Nope. Nada. My Paytm wallet had been replaced by hers. And she had the initial Rs 200. I could see how she used 123 of it & the balance 73 was left.

App payment page

I had 1 corporate credit card, 1 debit card & this Paytm wallet linked. When I told this to my sister, her first question was, “does he/she have access to your other payment modes? Contact them immediately”.

Being a developer myself, I was trying to find reasons of why it could have happened. This is when I remembered, that while updating my profile, even though I updated my phone number & email ID, it had only confirmed the update using an OTP sent in mobile, the very first time. So perhaps, the one using it, entered my mail id, and my account was somehow overridden. Logical flaw in the app verification??

Anyways, I also wrote to the security support & explained everything there is to this. Ofcourse I do get an immediate generic response.

And after another few days, a mail from the support:

So basically I’m at fault for setting a weak password, using a common mail or probably babbling my password in public. And they have no problems whatsoever, cause apparently, “Safety and accountability is built into the Uber experience, before, during and after a ride.”

Great.

I’m done wasting my time with you guys. With this post, I’m hoping, if there is indeed a flaw, you will find & fix it or Hackers will find it, you will take note & fix it.

Update: Now my Uber app just shuts down with an error as soon as it opens. nice fix?

Founder @ Jetbrain Robotics

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store