Inside Uber’s $100,000 Payment to a Hacker, and the Fallout

Most of all, the hacking and Uber’s response have fueled a debate about whether or not corporations which have crusaded to lock up their programs can scrupulously work with hackers with out placing themselves on the unsuitable facet of the regulation.


A hacker knowledgeable Uber of a significant vulnerability in November 2016. The firm disclosed the breach a 12 months later.

Dave Sanders for The New York Times

Uber is illustrative of a breed of firm that aimed to bulletproof its safety. While many companies have been for years blissfully unaware of the unhealthy actors penetrating their programs, Uber and others recruited former regulation enforcement and intelligence analysts and put in layers of technical defenses and password safety. They joined different corporations in embracing the identical hackers they as soon as handled as criminals, shelling out bug bounties as high as $200,000 to report flaws.

Yet because the fallout from Uber’s disclosure, Silicon Valley corporations have taken a tougher have a look at their bounty packages. At least three have put their packages beneath overview, based on two consultants who’ve confidential relationships with these corporations, which they declined to call. Others mentioned legal prosecutions for not reporting John Doughs would deter moral hackers who would in any other case come ahead.

“Anything that causes organizations to take a step backwards and not welcome contributions from the security community will have a negative impact on all of us,” mentioned Alex Rice, a co-founder of HackerOne, a safety firm that works with clients, together with Uber, to handle interactions with and funds to hackers.

The state of affairs is sophisticated by Uber’s monitor report for pushing boundaries, which put it beneath scrutiny final 12 months and helped spur the resignation of Travis Kalanick, its longtime chief government, in June. Mr. Khosrowshahi has since vowed to vary the way in which the corporate conducts itself.

This account of Uber’s hacking and the corporate’s response was based mostly on greater than a dozen interviews with individuals who have been concerned within the state of affairs, a lot of whom declined to be recognized due to the confidentiality of their exchanges. Many are present or former members of Uber’s safety crew, who defended their actions as a main instance of how executives ought to reply to safety issues of their programs. The New York Times additionally obtained greater than two dozen inside Uber emails and paperwork associated to the incident.

In a press release, Mr. Sullivan disputed the notion that the 2016 episode was a breach and mentioned Uber had handled it as a licensed vulnerability disclosure.


Dara Khosrowshahi, middle, Uber’s chief government since final summer season, has vowed to vary the way in which the ride-hailing firm conducts itself.

Adriano Machado/Reuters

“I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up,” he mentioned, including that he was proud its engineers had been capable of repair the problem earlier than it may very well be abused. He declined to debate disclosure due to the energetic state investigations.

Matt Kallman, an Uber spokesman, mentioned, “We stand by our decision to very publicly disclose the 2016 data breach — not because it was easy, but because it was the right thing to do.”

Through a spokesman, Mr. Kalanick declined to remark.

Uber began its bounty program in March 2016, difficult hackers to seek out bugs that might particularly result in the publicity of delicate person knowledge. The increased danger the bug was, the extra Uber would pay. In Uber’s calculus, the payouts have been higher than studying a couple of vulnerability solely after attackers had abused it.

By the time Mr. Sullivan obtained John Doughs’s electronic mail, Uber had paid rewards to a whole lot of hackers. Mr. Sullivan forwarded the John Doughs be aware to his crew for vetting and, if all checked out, patching and cost.

Uber’s safety crew used monikers for hackers, notably the colourful, nameless ones who engaged with the corporate. John Doughs was referred to as “Preacher” for his admonitions that Uber must be higher at safety.

“It’s very disappointing to be finding this vulnerability in such way,” the hacker wrote in an electronic mail to Rob Fletcher, Uber’s product safety engineering supervisor. “Especially coming from a company like Uber.”

From the Emails

Other emails obtained by The Times present Mr. Fletcher handled the incident as a bounty and inspired Preacher to offer proof of the vulnerability, together with sending just a few strains of information from the database he had breached.

According to the emails obtained by The Times, Uber quickly found that a few of its workers had left keys on a programming web site referred to as Github. Those keys had allowed Preacher to achieve entry to Uber’s Amazon net servers, the place it saved supply code in addition to 57 million buyer and driver accounts, together with driver’s license numbers for some 600,000 Uber drivers. It was a significant oversight. To repair it, Uber needed to inform everybody on the firm that it was briefly shutting down entry to Github.

Meanwhile, emails between the hacker and Mr. Fletcher continued. In some, Mr. Fletcher thanked the hacker for serving to the corporate repair the oversight. In two emails, Preacher’s motivations appeared much less altruistic. In one, he demanded “high compensation” for his findings. After Mr. Fletcher wrote that the corporate’s most bounty was $10,000, Preacher mentioned he and his crew would solely settle for “six digits.”

Mr. Fletcher mentioned he would want to hunt authorization for a $100,000 cost, and would want Preacher’s reassurances that he would delete the info he had downloaded. Mr. Fletcher additionally pushed the hacker to take cost by means of HackerOne, which requires bounty recipients to reveal their actual identities for tax necessities.

Mr. Fletcher drew additional particulars concerning the hacker out by means of emails, together with tidbits about his identification, his web internet hosting supplier, the situation of his pc and proof that he deleted his copy of Uber’s downloaded knowledge by taking a look at a digital copy of his system offered by his host.

“I’d like to thank you and your team for your excellence in dealing with this issue,” Preacher wrote in a single electronic mail.


Uber invited the hacker, whom it referred to as Preacher, to go to its headquarters in San Francisco. He declined.

Ryan Young for The New York Times

According to the emails, Uber at one level prolonged Preacher an all-expenses paid journey to San Francisco, the place the corporate relies. Uber requested the hacker to debate his safety strategies and provided to introduce him to corporations that is perhaps concerned with his abilities. Preacher declined.

Preacher’s path of digital bread crumbs finally led to a 20-year-old whose first title was Brandon and who was residing in a Florida trailer park along with his household, based on the emails. In one electronic mail, Uber provided to ship somebody to satisfy Brandon at an area espresso store. Brandon declined to depart his residence and prompt that the worker meet him there. It was there that Brandon signed agreements assuring Uber that he had deleted the info he had downloaded.

The Times was unable to be taught Brandon’s full title. An electronic mail to the John Doughs account bounced again.

By then, Uber’s safety crew was celebrating its response to what may have been a significant safety breach. Mr. Sullivan and his colleagues have been praised in year-end efficiency evaluations, together with by Mr. Kalanick, based on present and former workers.

What is now at challenge is whether or not Uber executives broke the regulation with the $100,000 cost and will have shortly notified clients or officers of the invention. The challenge will not be legally clear reduce.

Laws regarding bug bounties — notably people who let hackers view or save delicate buyer knowledge — are ambiguous. The Justice Department weighed into bug disclosure packages for the primary time in July and largely left it to organizations to resolve what entry they may authorize for hackers and what they’ll do with the info. In Uber’s case, its bounty tips licensed and inspired hackers to search for vulnerabilities that uncovered its most delicate person knowledge.

Breach disclosure legal guidelines additionally differ state to state. The state legal guidelines most related to Uber’s case require disclosure if names are uncovered together with driver’s license numbers in a “breach of security.”

Brandon acquired two funds of $50,000 every from Uber on Dec. eight, 2016, based on the emails. Uber continued buying and selling emails with Brandon throughout 2017, till the dialog finally dwindled.

The matter appeared settled — till Mr. Sullivan acquired a telephone name whereas making ready Thanksgiving dinner, based on two individuals accustomed to the matter. He was being fired, efficient instantly, for failing to reveal the incident to the correct authorities on the time.

Continue reading the main story

Source link