In major goof, Uber stored sensitive database key on public GitHub page

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Read the whole story

 

[Iphtashu Fitz]

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Yeah, lot of good that will do. If it was posted to a public github repo then it was likely downloaded by hundreds, if not thousands, of people. On top of that the culprit who likely used this to access their database probably connected from a server in China or Russia, or through a Tor exit node.

 

[Iphtashu Fitz]

yakumo[/url]":2xxg39hj]if the key is posted in public, how is anyone using it at fault?

Mainly because the database itself is likely not publicly accessible. Whoever used this key would have had to either have broken into Ubers corporate network, or performed some sort of SQL injection attack, remote exploit attack, etc. against the Uber website in order to remotely execute SQL code.

Not that it exonerates Uber in any way though, if their website can be exploited that easily without detection.

 

[Iphtashu Fitz]

Rookie_MIB[/url]":3gre2boy]I'm curious as to how much trouble the person who downloaded the dbase could get into. You have a public facing website. A publicly posted key. Person takes public posted key, enters public facing website, downloads what's there...

No security was 'hacked', encryption wasn't 'circumvented', any curious 12 year old could have been responsible for this, which would have been double the age of the person who apparently designed their security.

You're assuming that the website has a location to enter this private key in order to access the database directly. Most applications abstract access to the database so that you can't interact with the database directly. Chances are that obtaining the private key was only one piece of the puzzle in accessing this data. The perpetrators likely also implemented a SQL injection attack or some other sort of remote exploit of Uber's website to indirectly access the database.

Not that Uber should be let off the hook for sloppy programming and/or security practices if the database was in fact accessed via an an exploit of these sorts.

 

[Iphtashu Fitz]

darkangel666[/url]":dj65gz7d]

Iphtashu Fitz[/url]":dj65gz7d]

yakumo[/url]":dj65gz7d]if the key is posted in public, how is anyone using it at fault?

Mainly because the database itself is likely not publicly accessible. Whoever used this key would have had to broken into Ubers corporate network to exploit it.

The article says that database was accessed from an IP not associated with Uber, so it looks like database IP itself was also publicly available. Usually, to accuse someone in unauthorized data access this person should access data against the reasonable measures to guard the data by the owner. In this case keys were place in public access, no reasonable measures to guard data were taken. So court shouldn't grant Uber's request to disclose IPs of those who accessed the guthub project. Uber pretty much gave database keys to public for anyone to access.

That's a bit of a stretch to assume it means the database was publicly available. It's also possible that a bug in Uber's web application or an exploit in some library allowed the attacker to perform a SQL injection attack or remote code execution attack.