Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

By Simon Sharwood, APAC Editor

Posted in Security, 7th February 2018 07:30 GMT

Uber’s confessed that it didn’t use multifactor authentication on its GitHub account, an omission ultimately led to the data breach it revealed in 2017 after keeping it secret for more than a year, after using its bug bounty program to bribe the hacker to stay schtum.

It’s now stopped using GitHub for anything other than open source projects.

The not-a-taxi company’s chief information security officer John Flynn revealed the GitHub gaffe in testimony (PDF) before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which on Tuesday February 6th conducted a hearing titled “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers”.

The breach saw a hacker access oodles of data from one of Uber’s AWS S3 buckets. Flynn told the hearing “that the intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.”

Flynn did not explain how the hacker accessed that repository, but we can guess at a brute-force or password-guessing attack from Flynn’s testimony that “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder.”

“Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours.”

“We ceased using GitHub except for items like open source code,” he added.

Flynn also confessed that its bug bounty program was “not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.” But he also defended its use on grounds that doing so “assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure”, while also noting that extortion is not what bug bounty programs should ever reward.

Video testimony from the hearing was not available at the time of writing, so we’re unable to report on Flynn’s answers to any questions directed his way.

We asked GitHub if it was aware Uber all-but-dumped it, and if it has responded to the breach in any way. We did so partly to see what it knew, and partly because Uber dumping GitHub when it hadn’t secured its own repos properly seems a bit harsh.

GitHub responded, telling us "This was not the result of a failure of GitHub's security. We cannot provide further comment on individual accounts due to privacy concerns."

"Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber's followed that advice: Flynn said its code now includes only auto-expiring AWS creds. ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

Uber and NASA pen flying taxi probe pact

What happens when cabs go aerial next to an airport? They'll figure it out together

Pennsylvania AG sues Uber over 2016 data fail

Not much brotherly love in this Philly court case

Oh, Bucket! AWS in S3 status-checking tool free-for-all

'Your data is waiting for the internet to download it' warning lights are now free

Uber drivers game Uber's system like Uber games the entire planet

App cabbies push back against controlling black-box computers