Uber Finally Fixed a Bug that Let Hackers Keep Control of Hacked Accounts
After we told them about it.
Uber just fixed a major security issue that allowed hackers to maintain access to compromised accounts even after the victim had changed his or her password.
The company only fixed the flaw on Thursday, after Motherboard alerted it of the potential vulnerability earlier in the week, after yet another case of a hacked user account. This new case shows that despite a flurry of hacked user accounts in the last few months, the ride-sharing company is still struggling to take what experts believe are basic security precautions.
On Sunday, September 27, an Uber car in California was on its way to pick up Adriana, a 62-year-old retiree from Atlanta. But Adriana never ordered that ride. Her account, like those of many Uber users in the last few months, had been hacked. Adriana, who asked us not to include her full name, told Motherboard that she immediately suspected that the breach was due to her "carelessly" reusing a password, so she changed her password.
Yet, that didn't stop the hackers. She changed the password once more, and even had Uber reset it for her, but after all these password changes, however, someone still ordered another ride using her account, according to an email exchange between Adriana and Uber support, which she shared with Motherboard.
"That is probably the equivalent to somebody stealing your credit card, and [having it] still work even after you've called your card issuer."
That's because until the recent fix, Uber didn't automatically log out all users who were logged in after a password change. That meant hackers who were logged in could continue using the account even if the password was reset by Uber itself on behalf of the victim. (Motherboard independently verified this flaw in a test earlier this week.)
Automatically logging out any users who are logged in when a password gets changed is something that experts believe is a basic protection against hackers.
"Oh god," Per Thorsheim, a security expert and the founder of the Passwords conference, told me via online chat when I shared Adriana's story with him. "It is tempting to say that is pretty basic stuff, while on the other hand also a basic rookie mistake we've seen before of course. But NOT something I would expect from a HUGE service such as Uber!"
In fact, the Open Web Application Security Project suggests web developers to "destroy" or "renew" old login sessions when a password is changed. Major sites such as Google or Facebook, either automatically log out users from all their devices when they change passwords, or at least give you the option to.
Uber has now patched this issue.
"We had a flaw in the way password resets worked," a Uber spokesperson told me on Thursday. "It has now been fixed." (Motherboard independently verified the claim in a test.)
The Uber spokesperson added that the company believes the flaw was "mitigated" by other "fraud prevention mechanism," although declined to specify which ones.
When Motherboard inquired about this bug earlier this week, the company asked us to withhold this story until it released a fix, arguing that revealing this bug was going to help malicious hackers or cybercriminals.
"A basic rookie mistake we've seen before [...] NOT something I would expect from a HUGE service such as Uber!"
In May, Motherboard revealed that the multiple cases of hacked accounts and fraudulent trips were due to hackers using passwords published in data dumps from other websites and services, and then trying them on Uber. (Some were also selling compromised accounts on dark web markets.) To anticipate the hackers, Uber has been quietly trying to download those same password collections, and alerting vulnerable users, according to a person with knowledge of Uber's internal practices, who spoke on condition of anonymity.
That, however, didn't help for Adriana. After her passwords change didn't stop the fraudulent trips, she complained to an Uber customer support member.
"Is it possible if the app from the first request was still open and not logged out of that the original perpetrator could request a second ride?" she asked in an email, which she shared with Motherboard.
"That is a possibility," Jamie Rooker, the Uber support staffer, responded. "That is why we ask that you log out of all devices and change your password asap."
But Adriana didn't have access to the hacker's device, obviously. Finally, on Monday, after a week of back and forth emails, another Uber customer support member reached out and informed her that he "made sure that the unauthorized users are no longer accessing your account."
This incident underscores that despite months of reports of users' accounts getting hacked, Uber still failed to implement basic security practices to protect the users.
"This is a weakness in Uber," Jim Manico, a board member of the Open Web Application Security Project, told Motherboard in an email, before Uber fixed the issue. "When passwords are changed, users should be given the option to close other sessions."
For Thorsheim, this was a "bad practice" because it meant that anyone with access to another user's account would stay logged in even when the user changed his or her password.
"That is probably the equivalent to somebody stealing your credit card, and [having it] still work even after you've called your card issuer to cancel/block the card from being used," he added.
In May, after another user's account had been hijacked, Motherboard reported that Uber was sending new reset passwords via email in cleartext, which is another outdated and insecure practice. Despite Uber hiring Joe Sullivan, a renowned security executive who used to be Facebook's Chief Security Officer, as well as famed car hackers Charlie Miller and Chris Valasek, it seems that the company has still a lot of work to do with basic security issues.
"Uber does not have a great security history from what I see," Manico said. "And they need to increase their efforts if they want to continue their rise to success."
The Uber spokesperson added that the company's "security teams are focused on protecting the integrity of our riders' accounts and maintaining the safety and security of our riders' information. Over the last year, we've made significant investments in building a world-class system to secure information and help protect our users against risk, including this one."
Additional reporting by Joseph Cox