In major goof, Uber stored sensitive database key on public GitHub page

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Read the whole story

 

[Drakkenmensch]

 

[Nilt]

Yet another reason why I don't trust just any startup with personal information. Far too many are far too trusting of basics like this ...

 

[vcsjones]

The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.

Wow. Terrible. It's more like leaving the key in the lock. Not even remotely secure.

 

[Dilbert]

They need to immediately fire the employees responsible, and hire some InfoSec folks. Uber are liable as hell for this. Which is why they are now pounding on the table (github subpoena). They are taking steps to avoid liability, rather than taking steps to prevent this from happening again.

 

[MoonUnit]

I was going to make a comment that security is hard, but this goes way deeper than that.

 

[theSeb]

MoonUnit[/url]":3r8gpx29]I was going to make a comment that security is hard, but this goes way deeper than that.

Yes, we must never forget that common sense is important.

 

[Dilbert]

MoonUnit[/url]":1q1f0h3d]I was going to make a comment that security is hard, but this goes way deeper than that.

Security is haaaard! We need to remember to lock the dooooors. That's just soooo haaaaard. Waaaa.

Something like that I think.

 

[Iphtashu Fitz]

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Yeah, lot of good that will do. If it was posted to a public github repo then it was likely downloaded by hundreds, if not thousands, of people. On top of that the culprit who likely used this to access their database probably connected from a server in China or Russia, or through a Tor exit node.

 

[Windlasher]

"The contents of these internal database files are closely guarded by Uber,"

Uh, Apparently NOT -

 

[Drakkenmensch]

theSeb[/url]":2xs1ak9p]

MoonUnit[/url]":2xs1ak9p]I was going to make a comment that security is hard, but this goes way deeper than that.

Yes, we must never forget that common sense is important.

It's especially precious because it's so rare.

 

[Deleted member 192806]

Drakkenmensch[/url]":3hdp2mno]

Spoiler

Spoiler

*


*So we don't have an outrageous graphics chain.

 

[Dachannien]

Iphtashu Fitz[/url]":2awj4m55]

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Yeah, lot of good that will do. If it was posted to a public github repo then it was likely downloaded by hundreds, if not thousands, of people. On top of that the culprit who likely used this to access their database probably connected from a server in China or Russia, or through a Tor exit node.

Exactly. Either the perp was foolish enough to use fewer than seven proxies both when accessing GitHub and the Uber server, in which case Uber already has the information they need without the subpoena, or they were smart enough to use the requisite number of proxies, in which case this is a wild goose chase that could result in some poor innocent being sued or charged.

 

[Akemi]

Wow, just wow. Key left in open public space by major corp - wow.

 

[chipmunkofdoom2]

It's really simple: if we want these incidents to stop, we need penalties for the companies that leak information. The HIPAA act specifies penalties ranging from $100 to $50k per violation if PHI is leaked. Damages could even be assessed per record released, depending on the size of the breach. Healthcare data breaches happen, but they're relatively rare. Consumer data breaches are a dime a dozen, from Target to Home Depot to LinkedIn. The list goes on and on.

Businesses treat securing data properly as optional because it is. If a breach occurs with consumer data, there are no penalties except for potentially losing some business. Securing data properly needs to be required by law and punitive damages need to be assigned for violations. Securing personal data needs to be a cost of doing business, not something that's nice to do.

 

[truthyboy15]

Snapfish anyone?

 

[grommit!]

Heh, not suprised. This is Uber. Not paying attention to security and privacy is part of their business model.

 

[Wheels Of Confusion]

vcsjones[/url]":abh8lytf]

The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.

Wow. Terrible. It's more like leaving the key in the lock. Not even remotely secure.

In fact, it's remotely insecure and that's the whole problem.

 

[Nilt]

Wheels Of Confusion[/url]":3rb0wuxy]

vcsjones[/url]":3rb0wuxy]

The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.

Wow. Terrible. It's more like leaving the key in the lock. Not even remotely secure.

In fact, it's remotely insecure and that's the whole problem.

 

[rakkuuna]

It is so easy mess up like this though. Passwords and secrets for databases are often stored in configuration files, just like database ports and urls and other settings. Every development framework I know encourages this. And where does this configuration end up when you want to get development started fast? In the same folder as you source code. Your source code goes to version control and that's how you get in a mess like this.

Almost every developer I know (including me) has committed passwords to version control. The lucky thing is usually you are not committing into public repositories. Common development frameworks should have some best practices on how to do it properly since everyone makes the same mistake...

Though in the case of Uber, they should hide internal databases behind a firewall to prevent things like this. You should not be able to access it from public internet, no matter how many passwords you know. That is the easiest fix for dumb developers.

 

[David Crowell]

Anyone can make a mistake. It takes a company like Uber to go full asshole about it. They're pointing the finger the wrong way. They should be pointing it at themselves.

edit: me type guud

 

[BloodyCactus]

if the key is posted in public, how is anyone using it at fault?

 

[PemNoob]

Gives a whole new meaning to being, "uber smart".

 

[Peevester]

I am not a fan of cloud repositories in the first place, so github for anything other than open source projects would be a total no-no for me, but I can see how you could do this very easily if you make just one mistake with where you put your keys relative to the source code.

Another possibility is that they originally maintained their source in-house so weren't worried about the key being in their repo, and then messed up a cloud migration.

 

[Falos]

vcsjones[/url]":2awnyf64]

The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.

Wow. Terrible. It's more like leaving the key in the lock. Not even remotely secure.

Echoing this. Dan may not have intentionally written it that way, but the implications of "under a doormat" will try to paint viewing as invasive. You can chase people off for digging around your porch and through your stuff.

Compares better to a key taped to an apartment door. I don't enjoy being pedantic, but the concept of "public domain" has been spun up and down into a muddy blur, so precision is chemo.

 

[hizonner]

thegrommit[/url]":3mt50x15]Heh, not suprised. This is Uber. Not paying attention to security and privacy is part of their business model.

Not paying attention to security, privacy, labor conditions, longstanding laws directly targeted at their main business...

Basically Uber appears to be run by douchebags who think they're above it all, and that paying attention to WTF you're doing is for little people who aren't "disruptive". No surprise if the attitude trickles down.

 

[Iphtashu Fitz]

yakumo[/url]":2xxg39hj]if the key is posted in public, how is anyone using it at fault?

Mainly because the database itself is likely not publicly accessible. Whoever used this key would have had to either have broken into Ubers corporate network, or performed some sort of SQL injection attack, remote exploit attack, etc. against the Uber website in order to remotely execute SQL code.

Not that it exonerates Uber in any way though, if their website can be exploited that easily without detection.

 

[murst]

I contribute to some open source projects, and when submitting a bug fix, I once uploaded a config with my own database credentials and addresses. Its actually a pretty easy mistake to make when checking in a lot of files.

Fortunately, my database doesn't contain any important data.

 

[PemNoob]

In my town, I can be cited and fined by the police if I leave my car running and unlocked when there's no one in it. (In cold climate areas, we leave the car running to warm it up.)

How is this not equally negligent with regard to the drivers' PII in Uber's possession?

yakumo[/url]":2nkjwp1y]if the key is posted in public, how is anyone using it at fault?

 

[kliu0x52]

Another day, another example in, "Security is easy to fuck up."

Seriously, companies need a security review team (or just a security review guy) whose one job is to check for things like this.

 

[Meailda]

kliu0x52[/url]":1zvsk9n6]Another day, another example in, "Security is easy to fuck up."

Seriously, companies need a security review team (or just a security review guy) whose one job is to check for things like this.

A security review guy isn't going to cut it. There aren't enough hours in the day. You were right with your first assertion.

 

[uhuznaa]

Akemi[/url]":2ar895d1]Wow, just wow. Key left in open public space by major corp - wow.

Uber isn't a "major corp". Uber is a startup with more press than sense that seems to be both power-drunk and incompetent. This is EXACTLY what is to be expected from such players. Over-confident and under-clued.

Uber is expanding like a gas into a vacuum right now and is just as able to fill all the available vacuum in any meaningful way as the gas would be. They would need to hire top-notch people and to wait with every move until they have analyzed the hell out of it but they can't and won't do that because they fear that someone else beats them with being more reckless then.

But of course nothing of this is unexpected. I bet that the very first proto-human who was clever enough to drag a burning tree branch home into his cave one winter day killed several people sooner or later by fire or CO-poisoning. Was he right or was he wrong? Being clever and daring enough to get something done does rarely mean being clever enough to do everything right.

 

[Rookie_MIB]

I'm curious as to how much trouble the person who downloaded the dbase could get into. You have a public facing website. A publicly posted key. Person takes public posted key, enters public facing website, downloads what's there...

No security was 'hacked', encryption wasn't 'circumvented', any curious 12 year old could have been responsible for this, which would have been double the age of the person who apparently designed their security.

 

[ChickenHawk]

>>>>"The contents of these internal database files are closely guarded by Uber," the complaint stated.

Purjury?

 

[Pantagruel]

I think Uber is a great PR experiment. How much can you screw up as a large corporation and get away with it in terms of profits? Is an absolutely dreadful public image a major toll on business? Seriously, theses guys keep topping themselves with each news article.

 

[psd]

chipmunkofdoom2[/url]":3cthbfvx]It's really simple: if we want these incidents to stop, we need penalties for the companies that leak information. The HIPAA act specifies penalties ranging from $100 to $50k per violation if PHI is leaked. Damages could even be assessed per record released, depending on the size of the breach. Healthcare data breaches happen, but they're relatively rare. Consumer data breaches are a dime a dozen, from Target to Home Depot to LinkedIn. The list goes on and on.

Businesses treat securing data properly as optional because it is. If a breach occurs with consumer data, there are no penalties except for potentially losing some business. Securing data properly needs to be required by law and punitive damages need to be assigned for violations. Securing personal data needs to be a cost of doing business, not something that's nice to do.

The key though is "willful neglect" which, I don't know can be said in this case or more generally, can be established in every db hack. IANAL, of course.

 

[Bob.Brown]

chipmunkofdoom2[/url]":2zug3hea]It's really simple: if we want these incidents to stop, we need penalties for the companies that leak information. The HIPAA act specifies penalties ranging from $100 to $50k per violation if PHI is leaked. Damages could even be assessed per record released, depending on the size of the breach. Healthcare data breaches happen, but they're relatively rare. Consumer data breaches are a dime a dozen, from Target to Home Depot to LinkedIn. The list goes on and on.

Businesses treat securing data properly as optional because it is. If a breach occurs with consumer data, there are no penalties except for potentially losing some business. Securing data properly needs to be required by law and punitive damages need to be assigned for violations. Securing personal data needs to be a cost of doing business, not something that's nice to do.

Sadly, health care data breaches are not rare. Anthem (a major health insurer) released my SSN and other identifying data along with that of 80 million of my closest friends. Fined? Naaaaah!
http://www.npr.org/blogs/health/2015/02 ... s-multiply

 

[darkangel666]

Iphtashu Fitz[/url]":3548fw2b]

yakumo[/url]":3548fw2b]if the key is posted in public, how is anyone using it at fault?

Mainly because the database itself is likely not publicly accessible. Whoever used this key would have had to broken into Ubers corporate network to exploit it.

The article says that database was accessed from an IP not associated with Uber, so it looks like database IP itself was also publicly available. Usually, to accuse someone in unauthorized data access this person should access data against the reasonable measures to guard the data by the owner. In this case keys were place in public access, no reasonable measures to guard data were taken. So court shouldn't grant Uber's request to disclose IPs of those who accessed the guthub project. Uber pretty much gave database keys to public for anyone to access.