The hacker whom Uber reportedly paid off for its 2016 data breach has now been identified as a 20-year-old man from Florida.
The young man, who lives with his mother, was behind the Uber data breach that exposed 57 million user accounts and around 600,000 drivers, according to a Reuters’ exclusive report. The Uber hacker — whose name hasn’t been released — stole the data and then contacted Uber, which referred him to its bug bounty program. Uber then used the bug bounty program to pay the hacker $100,000 to destroy the data.
Uber’s bug bounty program is hosted by HackerOne and usually deals with smaller software bug reports that can earn between $5,000 and $10,000. HackerOne doesn’t manage Uber’s bug bounty program and thus didn’t have a say in the payment, but it does collect financial forms and a nondisclosure agreement (NDA) from those who earn bounties. Uber reportedly used the bug bounty payment to identify the hacker through the financial forms and have him sign the NDA. The ride-hailing company reportedly also performed a forensic analysis of the hacker’s computer to make sure he actually deleted the data he stole.
The data the hacker exfiltrated from the Uber data breach included names, email addresses, mobile phone numbers and driver’s license numbers, which were downloaded from AWS storage using login credentials stolen off of GitHub. The hacker reportedly paid another, unidentified, person to steal the credentials from GitHub.
In a blog post responding to the Uber data breach, the current CEO Dara Khosrowshahi noted that corporate systems and infrastructure were never actually compromised during the Uber data breach.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
According to its sources, Reuters reported that Travis Kalanick, the CEO at the time and founder of the company, was aware of the Uber data breach and the payment made to the hacker through the bug bounty program in November 2016, despite it not being reported until November 2017.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
In other news
- The three most used Android integrated development environments (IDEs) are all compromised by easily exploitable vulnerabilities. Check Point security researchers found that IntelliJ IDEA, Eclipse and Android Studio are affected by a vulnerable XML parser. For the attack to work, the user just needs to be tricked into loading a malicious XML manifest file. If that happens, the IDEs will activate files configured by the attacker. The Check Point researchers, Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu, were originally looking at possible vulnerabilities in APKTool, Android’s Application Package Tool, which they found also has the XML External Entity vulnerabilities. “Realizing the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called ‘DocumentBuilderFactory’, which is being used in APKTool project,” the research team said in a blog post. The team also said that they reached out to the affected vendors, which all fixed the issue and released updates, so users of the vulnerable products should update immediately.
- Researchers from Citizen Lab have found that Ethiopian dissidents around the world were targeted with emails containing spyware produced by an Israel-based cybersecurity company. The malware campaign was reportedly run by the Ethiopian government from 2016 until the present and targeted one of the Citizen Lab researchers, Bill Marczak, during his investigation into the spyware. “In the attacks we document, targets receive via email a link to a malicious website impersonating an online video portal,” the researchers explain in their report. “When a target clicks on the link, they are invited to download and install an Adobe Flash update (containing spyware) before viewing the video. In some cases, targets are instead prompted to install a fictitious app called ‘Adobe PdfWriter’ in order to view a PDF file.” The research team was then able to trace the spyware and found that it was commercial, created by an Israel-based company. “This report is the latest in a growing body of work that shows the wide abuse of nation-state spyware by authoritarian leaders to covertly surveil and invisibly sabotage entities they deem political threats,” the researchers said.
- Google released 47 patches for Nexus and Pixel devices in this month’s Android Security Bulletin. Of the 47, 10 of the patches were for critical vulnerabilities. “The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” the Bulletin said. Four of the other critical vulnerabilities were also in the Media framework and one critical vulnerability in the system could enable a remote code execution attack. Three of the critical vulnerabilities were in Qualcomm components and are also all remote code execution flaws, though some of them had already been publicly disclosed. Other affected components are MediaTek and Nvidia.