10 comments

[ 2.3 ms ] story [ 23.4 ms ] thread
They don't have data access controls and monitoring?

Doing something like this at Facebook would get you promptly fired.

Now, it would. But I think things were much different in the early days of Facebook. That's not to excuse Uber's current or recently current behavior.
Very originally Facebook used no version control, and code was managed manually via FTP.

In login.php, there was a specific magic password that authorised you into every account. No one bothered to change it even after employee departures.

Given how much of Facebook's security team Uber has pillaged over the past few years I am surprised that this has not been fixed at Uber. Securing query logs, realtime alerting for anomalous queries and closing loopholes on internal tools that allowed for such access pretty much defined 2014 and parts of 2015 for the appropriate prodsec teams.
They do, but there are limitations:

1. Most DOps, support staff, etc access user information of 100s of people per day.

2. Overzealous SQL queries are often written and are not questioned; such as complete driver/rider exports of a particular city.

3. Some tools, like Heaven, and many experimental tools have no access logging.

4. There is a permission that allows you to remove access logs.

5. Spot checks are unheard of.

6. Even direct queries for names like 'Barack Obama', 'Taylor Swift' can be easily justified as 'investigating fraud', which is part of a DOp's job role.

if you did the same at the telecom company I used to work at if you looked up say the queens private number you would hope that MI5 or the special branch got to you before our internal security guys did.

People who had wide access to data (team leads) had to have PV clearance in us terms that's the same as a CIA Officer would have.

Here's the URL to Heaven: https://heaven.uberinternal.com/

Heaven shows a top down view of all drivers in a city, updated live and with historic time travel capacity. Uber employees with 'tools access' can open heaven in for any city in any country.

Heaven has many filters and overlays. For example, you can see an indicator every time a rider opens the Uber app (nickname: eyeball).

You can click on a car to see the driver's name, photo, and their license plate. If they are on a ride, you can see the riders information with another click.

You can also search directly for a rider or driver with their name, email OR phone number. You can also write SQL that is executed on a read only replica that contains 99% of the Uber database; the only columns that are excluded are credentials (I.e. Braintree payment tokens, password hashes).

While access is logged, spot checks are practically unheard of and SQL exports of _all_ drivers and/or riders of a particular city is commonplace and not questioned; and these CSVs can be obviously queried offline without a paper trial.

Some employees have the ability to remove entries from access logging.

Imagine how many intelligence agencies have penetrated this and how amazed they must be at their good fortune.
A sad truth that no tech company is actually going to start off with an internal data security and access keys and rules surrounding such things.

I mean, its inconvenient, sure, but damn why is it nobody cares about security until something actually happens.

Question: IS this actually illegal though? Pretty sure if godmode were illegal in apps/sdks, half of the valley could be sued right now. What are the specifications on that?

These kinds of shenanigans are exactly why I deleted my account years ago and haven't used the app since.