Uber has been hacked and boy does it look bad. The hacker, which boasted of their achievements via Telegram this week, claims to be an 18-year-old who allegedly gained such liberal access to the tech giant’s network that they were able to Slack the Uber workforce and post a picture of a dick on the company’s internal websites.
Uber hasn’t said much about its security debacle yet, aside from Thursday when it admitted that it was experiencing a “cybersecurity incident.” On Friday, the company also posted a brief update in which they claimed that there was “no evidence that the incident involved access to sensitive user data.”
Online security researchers have been quick to analyze the episode, parsing what tactical mistakes may have led to the breach, based on the information leaked by the culprit. Granted, everything that the hacker has said at this point is only alleged and it’s not exactly clear whether they’re telling the truth or not. However, Gizmodo reached out to several experts to inquire about the hack and get their perspectives on how this whole thing might have happened.
Like a lot of recent intrusions into large corporate networks, the hack of Uber appears to have been accomplished using fairly basic hacking techniques. Indeed, if the culprit does turn out to be a teenager, it would mean that one of the biggest tech companies on the planet was just hacked by someone who likely doesn’t qualify as more than a script kiddie.
The hacker has been happy to tell everybody how they got into Uber’s network. In statements posted to a Telegram page and in conversations with the New York Times, the alleged hacker said they tricked an Uber employee into forking over their login credentials through a social engineering attack that made them appear to be a colleague. Dave Masson, Director of Enterprise Security at security firm Darktrace, told Gizmodo that this isn’t a particularly sophisticated intrusion method.
“Based on what the hacker said, they didn’t really ‘hack’ their way in,” said Masson. “They basically tricked somebody into giving up the multi-factor authentication details and then walked in the front door.” These kinds of attacks have always been common, but they’ve grown increasingly prevalent since the pandemic put most companies in a semi-permanent work-from-home status, Masson said.
The attack appears to have allowed the hacker to gain access to the user’s VPN, which provided access to Uber’s corporate network. From there, the hacker allegedly discovered a document, or “internal access share,” that included login credentials for other services and areas of the network. After that, escalating privileges into the company’s broader environment would have been relatively easy.
For a long time, we’ve heard that the surest way to keep our digital lives safe is to use multi-factor authentication. MFA authenticates users by forcing them to present multiple pieces of information (typically from at least two different devices) to log into their online accounts. Yet some forms of MFA also have an infrequently discussed vulnerability, which is that they can be easily out-maneuvered by a hacker who employs social engineering or basic Man-in-the-Middle-style attacks to garner login credentials.
Bill Demirkapi, an independent security researcher, told Gizmodo that the kind of MFA that Uber seems to have used is not the most secure kind. Instead, Demirkapi suggests the use of FIDO2, which bills itself as a “phishing-resistant” form of authentication. FIDO2 is a web authentication mechanism that, unlike more standard forms of MFA, verifies that the origin of the MFA prompt came from the real login server, Demirkapi said. “If an attacker created a fake login page and prompted for FIDO MFA, the U2F device wouldn’t even respond, preventing the authentication from continuing,” he added.
“Standard forms of multi-factor authentication such as push notifications, text messages, OTP [one-time-password], etc. do protect against attackers that only have an employee’s credentials, but often not against phishing,” he said.
Problematically, phishing a user of standard MFA can be accomplished fairly easily using widely accessible web tools. Demirkapi refers to one such tool, called “Evilginx,” which can be accessed for free online. An attacker can use a tool like this to create a fake login page that looks identical to the real one. If they convince a victim to visit the phishing page, the attacker’s server can “replicate a connection to the real login server” so that everything the victim enters is simply relayed to the attacker.
“A victim can enter their credentials, the attacker logs it, and then the attacker sends the login request to the real server,” said Demirkapi. “Once the victim is prompted for “standard MFA”, there is no verification done to make sure that the victim is actually on the real login page. The victim accepts the prompt, the real server sends the authenticated cookies for the victim to the attacker server, and the attacker logs and relays this to the victim. It’s a seamless process that allows the attacker to capture the victim’s credentials, even with common forms of multi-factor authentication,” he said.
One lingering question about this incident is whether user data may have been affected. On Friday, Uber released a statement that alleged that there was “no evidence” that the hacker had accessed “sensitive user data (like trip history).” However, the company hasn’t exactly provided much context for what that means. Security experts that spoke with Gizmodo said that (given the broad access the hacker appears to have acquired) it was certainly possible that they could have viewed user data.
“Is it possible? Sure,” said Demirkapi. “In fact, some screenshots that the attacker did leak appear to show limited access to customer information. This alone does not mean much, however, because what really matters is the extent to which the attacker gained access to customer info.” That extent, obviously, is unknown.
Masson similarly agreed that it was possible. “We don’t know that yet, but I wouldn’t be surprised if that turned out to be the case,” he said, pointing to the 2016 hack that affected the company. In that particular case, the impact was quite bad. Hackers stole the personal information of some 57 million Uber users. The company failed to disclose the incident and secretly paid the cybercriminals to delete the data.
For now, the more pertinent question for Uber may be what kind of dirt the hacker found on the rideshare company’s business practices and whether they would even know what to look for.