Uber quickly fixes snafu that leaked US-based drivers' personal data

OK, it was sorted within 30 minutes, but even so …

2 Reg comments Got Tips?

Uber has accidentally exposed the personal details of hundreds of US drivers as the result of a software bug, revealing names, social security numbers, pictures of drivers' licences, tax forms, and other sensitive information, before the issue was resolved soon after discovery.

The problem was spotted by one of Uber’s partners drivers on Tuesday evening while using his account to upload a document, before it was reported on a dedicated Uber drivers' message board and social news site Reddit (here).

The Uber driver was confronted with a screen full of other drivers' information during the process of attempting to upload his own new insurance documents.

The issue affected less than 700 drivers in the US, Uber told El Reg in a note accompanying a statement (below).

We were notified about a bug impacting a fraction of our US drivers earlier this afternoon. Within 30 minutes our security team had fixed the issue.

We’d like to thank the driver who drew it to our attention and apologise to those drivers whose information may have been affected.

Their security is incredibly important to Uber and we will follow up with them directly.

The exposure of drivers' personals may be linked to the release of a new Uber Partner app, according to Gawker. The partner app allows drivers to manage their accounts and track their fares as well as providing a facility to upload registration information for new drivers.

The scope of the breach seems to have been limited to other drivers logged into their Uber account. Security experts reckon Uber fell foul to a common class of security flaw.

Robert Hansen, veep of WhiteHat Labs at WhiteHat Security, commented: "It's already fixed so the impact ... is very small. However, this is a very common insufficient authorisation flaw, where a user can see other user data."

"Horizontal user access controls are very important and easy to test for in most cases, although it does require user level access, so issues like this are less often found in the wild than vulnerabilities that do not require authentication," Hansen added.

Earlier this year, Uber’s driver database was leaked through GitHub, exposing the details of some 50,000 drivers in a far more serious breach. Uber has had more than its fair share of security flaps over recent months, as catalogued in a post commented on the latest incident on Sophos’ Naked Security blog here. ®


Biting the hand that feeds IT © 1998–2020