Skip to main content

In major goof, Uber stored sensitive database key on public GitHub page



Uber is trying to force GitHub to disclose the IP address of every person that accessed a webpage connected to a database intrusion that exposed sensitive personal data for 50,000 drivers. The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.

Uber officials have yet to say precisely what information was contained in the two now-unavailable GitHub gists. But in a lawsuit filed Friday against the unknown John Doe intruders, Uber lawyers said the URLs contained a security key that allowed unauthorized access to the names and driver's license numbers of about 50,000 Uber drivers. The ride-sharing service disclosed the breach on Friday, more than two months after it was discovered.
"The contents of these internal database files are closely guarded by Uber," the complaint stated. "Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files. On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers."

The language has led to widespread speculation that the pages at issue were made by an Uber employee or contractor who stored a confidential authorization key on the GitHub service. One or more of the unknown John Doe defendants then found the key some time in 2014 and used it to access the Uber database. Uber officials declined to comment on the record, but the company didn't challenge the claim. Uber's release on Friday said: "Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access."

It's not the first time people have posted highly confidential data to publicly accessible GitHub pages. In a January 2013 post headlined PSA: Don’t upload your important passwords to GitHub, Ars reported basic searches turned up dozens of passwords and security keys stored on publicly accessible GitHub pages. In some cases, the passwords appeared to secure sensitive information for high-target companies and projects, including the Chromium, a repository that stores the source code for Google's open source browser.

Uber already has been accused of using its vast database of customer trips to track the comings and goings of journalists and VIP riders. The wording of Uber's complaint, saying a security key protecting the Uber database was stored on a publicly assessable GitHub page, is a step backwards for Uber as it attempts to reassure the public that the significant amount of information it holds is safe from prying eyes. It could also attract scrutiny from state or federal watchdogs or from private attorneys representing people injured as a result of Uber's security lapses.
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Hide Text In Microsoft Word 2007, Reveal It & Protect It

Sometimes what we hide is more important than what we reveal. Especially, documents with sensitive information, some things are supposed to be ‘for some eyes only’. Such scenarios are quite common, even for the more un-secretive among us. You want to show someone a letter composed in MS Word, but want to keep some of the content private; or it’s an official letter with some part of it having critical data. As important as these two are, the most common use could involve a normal printing job. Many a time we have to print different versions of a document, one copy for one set of eyes and others for other sets. Rather than creating multiple copies and therefore multiple printing jobs, what if we could just do it from the same document?  That too, without the hassle of repeated cut and paste. We can, with a simple feature in MS Word – it’s just called Hidden and let me show you how to use it to hide text in Microsoft Word 2007. It’s a simple single click process. Open the docum...
1 comment
Read more

Boom, the startup that wants to build supersonic planes, just signed a massive deal with Virgin

Have you heard about Boom? Boom is a relatively new startup that’s aiming to build something pretty crazy. They’re not building an app… or a social network… or even some new gadget for the Kickstarter crowd. Boom wants to build planes. Really, really, really fast planes. Specifically, they’re trying to design and build a supersonic passenger plane that goes 2.2x the speed of sound. If all goes to plan, they’ll be able to shuttle people from New York to London in 3.5 hours, and SF to Tokyo in 4.5. Sound crazy? I wouldn’t disagree. It’s worth noting that the company is in the very early days for something as intensive, massive, and hugely expensive as designing and producing a passenger aircraft. They’re still working on their first prototype, and hope to fly it by late next year. But it’s also worth noting that the team behind the plane has some serious talent in its blood: the company’s 11 employees have collectively contributed to over 30 aircrafts — having worked on thin...
Post a Comment
Read more

Build Your Own Awesome Personal 3D Avatar with Avatara

Do you use social networks and want to build your own awesome 3D avatar? Maybe you want to send someone a cute cuddly image of yourself (kind of)? Or maybe you have your own ideas of what you would do with an Avatar… Well look no further than Avatara which I discovered from the MakeUseOf directory . You can create 3d avatars out of pre-set up templates or create your own from scratch. To start, visit Avatara’s homepage . You will see this screen: Click Get Started to umm, get started! That will take you to this screen: You see that you can build your own Avatar using an uploaded head shot like the Obama one above (just an example, guys). Or roll with one of their awesome avatars. I chose to start with a blank avatar by clicking Start with a blank avatar at the bottom of the screen. That takes you to here: I clicked on the filter at the top and told it to filter out everything but male characters and then I saw this: I rolled with Buck and continued. You need to click Select...
1 comment
Read more