Uber was hacked to the core, by an 18-year-old. Here are the basics

The Uber app is in use on a smartphone
Zoom / The Uber ride-sharing app appears on the mobile phone.

Uber employees discovered Thursday that swathes of their internal network had been accessed by someone who announced the feat on the company’s Slack channel. The hacker, who sent screenshots documenting the breach to the New York Times and security researchers, claimed to be 18 years old and was unusually candid about how it happened and how far it got, according to the news outlet, which smashed the story.

It didn’t take long for independent researchers, including Bill Demercape from Microsoftto confirm New York Times coverage and conclude that the intruder likely obtained initial access by contacting an Uber employee via WhatsApp.

After successfully obtaining the employee’s account password, the hacker tricked the employee into agreeing to a push notification for multi-factor authentication. The intruder then revealed administrative credentials allowing access to some of Uber’s crown jewel network resources. Uber responded by shutting down parts of its internal network while it investigated the extent of the breach.

It is not yet clear exactly what data the hacker was able to access or what other actions the hacker took. Uber stores an astonishing array of data on its users, so it’s possible to access or access the hourly private addresses of hundreds of millions of people.

Here is what is known so far.

How did the hacker get in?

According to NYT, the above linked tweet thread from Demirkapi, and other researchers, the hacker socially engineered an Uber employee after somehow discovering the employee’s WhatsApp number. In direct messages, the hacker instructed the employee to log into a fake Uber site, which quickly grabbed the entered credentials in real time and used them to log into the original Uber site.

Uber had MFA, short for Multi-Factor Authentication, in the form of an app that required an employee to press a button on a smartphone when logging in. To bypass this protection, the hacker repeatedly entered the credentials to the real site. In the end, the employee, looking confused or exhausted, pressed the button. With that was the attacker.

After mining, the attacker discovered Administrator-stored PowerShell scripts that automate the login process for many sensitive network pockets. The transcripts included the required credentials.

what happened after that?

The attacker reportedly sent company-wide texts on Uber Slack channels, announcing the achievement.

“I announce that I am a hacker and that Uber has had a data breach,” one of the messages stated, according to the New York Times. The screenshots provided evidence that the individual had access to assets, including Uber’s Amazon Web Services, G Suite accounts, and code repositories.

It is still unclear what other data the hacker had access to and whether the hacker copied or shared any of it with the whole world. Uber on Friday updated its disclosure page to say, “We have no evidence that the incident involved access to sensitive user data (such as the flight history)”.

What do we know about the hacker?

Not much. The person claims to be 18 years old and has taken to Uber Slack channels to complain that Uber drivers are being paid less. This, and the fact that the intruder did not take any steps to conceal the hack, indicates that the breach was likely not motivated by financial gain from ransomware, extortion or spyware. The identity of the individual remains unknown until now.

What is Uber doing now?

company admit the breach He is investigating.

did 18 years truly Reaching the crown jewels for one of the most sensitive companies in the world? How can this be?

It’s too early to say for sure, but the scenario seems plausible, even probable. Phishing attacks remain one of the most effective forms of network intrusion. Why bother exploiting expensive and complex zero-day exploits when there are much easier ways to trespass?

Moreover, over the past few months, phishing attacks have grown increasingly popular. See This attack who recently hacked Twilio and targeted many other companies. The phishing page automatically transmits the entered usernames and passwords to the attackers via the Telegram messaging service, and the attacker enters them to the real site. When the user entered a one-time password generated by the authentication app, the attackers entered that as well. If the account is protected by an app like Duo Security, the attackers will gain access once the employee complies.

Does this mean MFA that uses one-time passwords or payments are useless?

This type of MFA will protect users if their password is compromised by a database hack. But as it has been repeatedly pointed out, they are woefully inadequate in stopping phishing attacks. To date, the only forms of MFA that are anti-phishing are those that comply with the industry standard known as FIDO2. It remains the gold standard for the Microfinance Association.

Many organizations and cultures still believe that their members are too smart to fall for phishing attacks. They like the convenience of authentication apps compared to the FIDO2 forms of MFA, which require having a phone or a physical key. These types of violations will remain a fact of life until this mindset changes.

Leave a Comment