Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

By Simon Sharwood, APAC Editor

Posted in Security, 7th February 2018 07:30 GMT

Uber’s confessed that it didn’t use multifactor authentication on its GitHub account, an omission ultimately led to the data breach it revealed in 2017 after keeping it secret for more than a year, after using its bug bounty program to bribe the hacker to stay schtum.

It’s now stopped using GitHub for anything other than open source projects.

The not-a-taxi company’s chief information security officer John Flynn revealed the GitHub gaffe in testimony (PDF) before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which on Tuesday February 6th conducted a hearing titled “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers”.

The breach saw a hacker access oodles of data from one of Uber’s AWS S3 buckets. Flynn told the hearing “that the intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.”

Flynn did not explain how the hacker accessed that repository, but we can guess at a brute-force or password-guessing attack from Flynn’s testimony that “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder.”

“Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours.”

“We ceased using GitHub except for items like open source code,” he added.

Flynn also confessed that its bug bounty program was “not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.” But he also defended its use on grounds that doing so “assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure”, while also noting that extortion is not what bug bounty programs should ever reward.

Video testimony from the hearing was not available at the time of writing, so we’re unable to report on Flynn’s answers to any questions directed his way.

We asked GitHub if it was aware Uber all-but-dumped it, and if it has responded to the breach in any way. We did so partly to see what it knew, and partly because Uber dumping GitHub when it hadn’t secured its own repos properly seems a bit harsh.

GitHub responded, telling us "This was not the result of a failure of GitHub's security. We cannot provide further comment on individual accounts due to privacy concerns."

"Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber's followed that advice: Flynn said its code now includes only auto-expiring AWS creds. ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Oh, Bucket! AWS in S3 status-checking tool free-for-all

'Your data is waiting for the internet to download it' warning lights are now free

Uber drivers game Uber's system like Uber games the entire planet

App cabbies push back against controlling black-box computers

Helicopter crashes after manoeuvres to 'avoid... DJI Phantom drone'

Incident reported to local cops and Federal Aviation Administration

Fetch calls Uber's bluff: See you in court, bros!

Battle over dodgy click claims heats up

'DJI Mavic' drone seen menacing London City airliner after takeoff

UK Airprox Board say it was 'endangering other aircraft'

Softbank gets Uber A-OK for $9bn investment cash splurge

And ex-CEO Kalanick will be praying it goes through

Uber's revolting sexism, the movie

Susan Fowler's story pitched as 'Erin Brockovich meets The Social Network'

Drone smacks commercial passenger plane in Canada

Everyone safe, except drone pilot who ignored local rules