Security

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

By Simon Sharwood

14 SHARE

Uber’s confessed that it didn’t use multifactor authentication on its GitHub account, an omission ultimately led to the data breach it revealed in 2017 after keeping it secret for more than a year, after using its bug bounty program to bribe the hacker to stay schtum.

It’s now stopped using GitHub for anything other than open source projects.

The not-a-taxi company’s chief information security officer John Flynn revealed the GitHub gaffe in testimony (PDF) before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which on Tuesday February 6th conducted a hearing titled “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers”.

The breach saw a hacker access oodles of data from one of Uber’s AWS S3 buckets. Flynn told the hearing “that the intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.”

Flynn did not explain how the hacker accessed that repository, but we can guess at a brute-force or password-guessing attack from Flynn’s testimony that “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder.”

“Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours.”

“We ceased using GitHub except for items like open source code,” he added.

Flynn also confessed that its bug bounty program was “not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.” But he also defended its use on grounds that doing so “assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure”, while also noting that extortion is not what bug bounty programs should ever reward.

Video testimony from the hearing was not available at the time of writing, so we’re unable to report on Flynn’s answers to any questions directed his way.

We asked GitHub if it was aware Uber all-but-dumped it, and if it has responded to the breach in any way. We did so partly to see what it knew, and partly because Uber dumping GitHub when it hadn’t secured its own repos properly seems a bit harsh.

GitHub responded, telling us "This was not the result of a failure of GitHub's security. We cannot provide further comment on individual accounts due to privacy concerns."

"Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber's followed that advice: Flynn said its code now includes only auto-expiring AWS creds. ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works

Cops: Autonomous Uber driver may have been streaming The Voice before death crash

Reports say she was watching reality TV at time of fatal impact

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

Uber jams Arizona robo-car project into reverse gear after deadly smash

Layoffs coming as taxi-app shuts up shop

Uber and NASA pen flying taxi probe pact

What happens when cabs go aerial next to an airport? They'll figure it out together