A recent data breach at Uber shows how popular code-sharing sites such as GitHub and SourceForge can sometimes be a rich source of information for those looking to break into enterprise networks.
On Feb. 27, Uber disclosed that someone had illegally accessed an internal database containing names and driver’s license information belonging to 50,000 drivers. The company said the intrusion happened in May 2014 but was only discovered in September.
Uber did not say how it discovered the intrusion, nor did it offer any explanation for the delay in notifying those affected by the breach, even though state laws require organizations to notify victims as soon as a breach is discovered.
In a prepared statement announcing the data breach, Uber said it changed access protocols for the data as soon as the issue was discovered. The company added that it has not yet received any reports of the compromised data being misused.
John Doe Lawsuit
Uber filed a John Doe lawsuit in the U.S. District Court for the Northern District of California against those responsible for the data theft. The lawsuit seeks a court order barring the unnamed defendants from accessing Uber’s files again or transmitting them anywhere. In court papers filed in connection with the case, Uber described the database from which the data was stolen as closely guarded.
“Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees,” the company said in the lawsuit. “No one outside of Uber is authorized to access the files.”
However, on May 12, 2014, someone with an IP address that did not belong to Uber or any of its employees used the unique security key to access the database and download its contents, according to court documents.
Security Key Stored on GitHub
Whoever accessed Uber’s database appears to have obtained the security key from a public page on GitHub. A subpoena has been served to GitHub to try to force it to disclose the IP addresses or subscriber IDs of all individuals who may have viewed, accessed or modified content on the GitHub Web page on which the security key was stored.
Uber wants GitHub to provide it with all records or metadata pertaining to the browsers and devices that were used to view or access the page. The data being sought includes logged HTTP headers, cookies and device ID information.
Services like GitHub and SourceForge are popular because they give software developers a place to collaborate on projects, make and store changes and maintain a complete revision history of all modifications made to code over the life of a project.
One of the downsides for companies is that developers who use these services are not always careful about what they upload and store online. It is not unusual to find files containing private security keys, login credentials, security tokens, configurations and other data stored online along with the source code. Attackers with access to such information can leverage it to gain access to enterprise systems and data. Often, all it takes to unearth sensitive information is a simple search on GitHub.
Since Uber has not disclosed any details on the breach, it is unclear which data exactly was stored online on the GitHub page, which is the subject of the Uber subpoena. However, court documents suggest the individual who accessed the ride share company’s database used a security key stored on the website.