Mohamed M.Fouad has discovered a critical vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value. Uber Team Refuses to Patch the Flaw that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000. Uber fixed the brute force vulnerability by applying the rate-limiting, which could lead to many fraud incidents.
Source: https://thehackernews.com/2016/06/unlimited-uber-free-rides.html