Uber Stored Sensitive Database Key on Public GitHub Page Preceding Breach
Uber is trying to force GitHub to disclose the IP address of every person who has visited a webpage that contained a sensitive database key that caused the information of more than 50,000 Uber drivers to be stolen. A subpoena to the court revealed that Uber left a security key which had the ability to unlock the database on a publicly accessible Github page, the equivalent to storing a key to the house in plain view.
Uber officials have yet to publicly identify what information was contained in the two now-deleted GitHub repositories. But in the “John Doe” lawsuit filed Friday, Uber lawyers said the URLs contained a security key that allowed unauthorized access to names and driver’s license numbers of some 50,000 Uber drivers. The crowd-sourced ride-sharing service disclosed the breach Friday, four months after it was initially discovered.
“The contents of these internal database files are closely guarded by Uber,” the complained filed Friday read. “Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files. On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.”
Language used in the complaint has led public speculation to believe that the pages that are being blamed as the root cause of the issue were made by an Uber employee or contractor who may have accidentally stored the confidential authorization key on the public GitHub service. The unknown defendant found the same key some time in 2014, and used it to illegally access the Uber database, stealing some 50,000 drivers information. “Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access,” Uber said in the statement Friday, following the breach.
It’s not the first time people have posted highly confidential information on the publicly accessible Github, and surely won’t be the last. So much confidential information has been publicly posted to Github, an application security specialist built Gitrob, an intelligence command-line tool that mines Github for information found within files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information posted on Github, that was not meant for the public eye.
Researchers and journalists combined have reported basic searches to turn up hundreds of passwords and security keys stored in the publicly accessible Github website. In some cases, passwords appeared to secure sensitive information for high-profile companies and projects. Included in one scan was the password for an account on Chromium.org, the repository that stores the source code for Google’s open source version of the browser.
Uber has already been accused of using its large database of customer trips to track where journalists alongside VIP riders are coming and going from. Uber’s complaint is saying a security key protecting the Uber database was stored in a publicly accessible Github page, which is a lie as Uber has assured the public that the significant amount of information it holds is safe from spies and prying eyes.
Uber could attract scrutiny from federal watchdogs or other private attorneys representing people injured as a result of Uber’s security breach that left 50,000 drivers with their information stolen. Uber’s subtle mishap may leave the company with millions in damages.
