Uber has suffered enormous data violation, then finally had compensated the cyberpunks to keep quiet. Code trove had not proved guilt as Uber had not had multifactor verification on repos that contained AWS credentials. Uber has acknowledged that it had not employ any multifactor verification on its GitHub account. An error eventually ran to the data violation and it was exposed in 2017 after keeping it top-secret for about a whole year, after employing its flaw bounty program to pay the cyberpunk to stay quiet.
However, it’s currently stopped employing GitHub for whatsoever other than vulnerable source projects.
Uber’s chief information security officer, John Flynn had exposed the GitHub gaffe in evidence before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which conducted a hearing on Tuesday, February 6th. The violation saw a cyberpunk acquire masses of data from one of Uber’s AWS S3 buckets. Flynn further stated the hearing “that the intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.”
Uber’s chief information security officer did not clarify how the cyberpunk acquired that repository, however, they assumed at a brute-force or password-guessing threat from chief’s witness that “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder.”
“Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours. We ceased using GitHub except for items like open source code,” he added.
The company’s chief also acknowledged that its flaw bounty program was not a suitable vehicle for dealing with impostors who pursue to force funds from the company. But the chief also supported its practice on grounds that performing so supported in the struggle to advance attribution and, eventually, promises that our customers’ data were safe, while also observing that extortion money paid is not what flaw bounty programs should ever reward. Video proof from the trial hearing was not obtainable at the time, so they are powerless to state on company’s chief replies to any questions engaged his way.
On asking GitHub, if it was conscious Uber all-but-discarded it, and if it has replied to the violation in any way. They had done so partially to check what it identified, and comparatively because Uber discarding GitHub when it hadn’t protected its own repos appropriately appears a bit severe.
GitHub replied, telling “This was not the result of a failure of GitHub’s security. We cannot provide further comment on individual accounts due to privacy concerns. Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse.”
Uber’s acted according to assistance: Company’s chief stated its code now contains only auto-expiring AWS creds.