This code can be sent to your phone via text message, or in some cases like with banks, we’ve seen them issue dongles that you can press to generate said code. Various companies and services employ the use of such systems, such as Uber, but a recent report from ZDNet has revealed that the company’s system has a bug that renders 2FA useless, and the worst part is that it seems like they aren’t that interested in addressing it.
The bug was initially discovered by security researcher Karan Saini who reported it to HackerOne who administers Uber’s bug bounty, who said that bug was “informative” and that it contains “useful information but did not warrant an immediate action or a fix.” Rob Fletcher, security engineering manager at Uber followed up with Saini by saying, “This isn’t a particularly severe report and is likely expected behavior.”
When asked about the bug, Uber spokesperson Melanie Ensign was quoted as saying, “We’ve been testing different solutions since we received a lot of user complaints about requiring 2FA on [an Uber web address which we are redacting per our decision to not reveal specifics of the bug] when people are trying to report a lost or stolen phone and can’t receive a code on that device.”
. Read more about