Uber app exploit posed safety risk to passengers

A flaw in Uber’s system meant thousands of trips in London were taken with unauthorised drivers at the wheel

A flaw in the Uber minicab app meant that unauthorised drivers were able to upload their photos to other Uber driver accounts, letting them to pick up passengers as if they were the booked driver, according to a judgment handed down by Transport for London (TfL), which has decided not to grant the taxi firm a new private hire operator’s licence.

TfL found that as many as 14,000 trips booked in London may have been taken with an unauthorised driver exploiting the loophole. All of these journeys were uninsured as a result, and a number of them took place with drivers who did not hold any form of private hire driver licence, including one who had previously had their licence revoked.

Another flaw in the app enabled drivers who had been dismissed or suspended by Uber to create a new account and carry passengers.

“As the regulator of private hire services in London we are required to make a decision today on whether Uber is fit and proper to hold a licence,” said Helen Chapman, TfL director of licensing, regulation and charging.

“Safety is our absolute top priority. While we recognise Uber has made improvements, it is unacceptable that Uber has allowed passengers to get into minicabs with drivers who are potentially unlicensed and uninsured.

“It is clearly concerning that these issues arose, but it is also concerning that we cannot be confident that similar issues won't happen again in future,” said Chapman. “If they choose to appeal, Uber will have the opportunity to publicly demonstrate to a magistrate whether it has put in place sufficient measures to ensure potential safety risks to passengers are eliminated.

“If they do appeal, Uber can continue to operate and we will closely scrutinise the company to ensure the management has robust controls in place to ensure safety is not compromised during any changes to the app.”

Read more about mobile app security

  • The Home Office’s Brexit app contains a number of flaws that could potentially be exploited to put EU citizens’ personal data at risk.
  • The lack of security policies in many business applications is putting enterprise data at risk and social media apps are the biggest source of malware, a poll of IT professionals reveals.
  • For developers, security is not often a high priority -- but it should be. Automated security scanning tools can help detect and address weaknesses before evildoers discover them.

Uber’s regional general manager for northern and eastern Europe, Jamie Heywood, branded the decision “extraordinary and wrong” and said the firm would indeed be appealing.

“We have fundamentally changed our business over the last two years and are setting the standard on safety,” said Heywood. “We will continue to operate as normal and will do everything we can to work with TfL to resolve this situation.”

Facial recognition

Heywood said that over the past two months, Uber had audited every driver working in London to further strengthen its processes. “We have robust systems and checks in place to confirm the identity of drivers and will soon be introducing a new facial matching process, which we believe is a first in London taxi and private hire,” he said

Uber has made a number of changes to its processes and procedures in recent months, including including introducing security and privacy training for drivers, and adding a Check Your Ride feature to its app, as well as emergency assistance support and the ability for passengers to share their journeys with trusted contracts. It has also introduced tougher rules around driver insurance checks.

TfL said that it recognised that Uber had made some positive changes and improvements to its culture, leadership and systems since 2018. It also acknowledged that Uber had co-operated with it in a more transparent and productive manner than before.

However, its investigations into Uber uncovered a litany of other breaches unrelated to application security, including many related to insurance, some of which had led to prosecution for allowing vehicles to operate without valid hire or reward insurance, and an independent assessment of Uber’s ability to stop such incidents happening gave TfL no reason to conclude that Uber has a robust system for protecting passengers. It will therefore not grant Uber a new licence.

Uber has 21 days to appeal the ruling, and can continue to operate pending this appeal, and throughout the appeal process.

Mayor supports decision

London mayor Sadiq Khan said he supported TfL’s decision, and understood the authority’s rationale for taking it. 

“There is undoubtedly a place for innovative companies in London – in fact we are home to some of the best in the world. But it is essential that companies play by the rules to keep their customers safe,” said Khan.

“Only in the last few months it has been established that 14,000 Uber journeys have involved fraudulent drivers uploading their photos to other driver accounts – with passengers’ safety potentially put at risk getting into cars with unlicensed and suspended drivers. At this stage TfL can’t be confident that Uber has the robust processes in place to prevent another serious safety breach in the future.

“I know this decision may be unpopular with Uber users, but their safety is the paramount concern. Regulations are there to keep Londoners safe, and fully complying with TfL’s strict standards is essential if private hire operators want a licence to operate in London,” said Khan.

Read more on Web application security

Data Center
Data Management