Uber used bug bounty program to launder blackmail payment to hacker -

Uber used bug bounty program to launder blackmail payment to hacker

Credit: arstechnica.com

  • Dec 07 2017 17:45About: 4 days ago
  • 8 views

In November, the CEO of Uber revealed that the company had paid a hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers' and drivers' names, email addresses, and phone numbers were exposed. But the company did not reveal who the hacker was or how the payment was made.

A Reuters report now casts a bit more light on how the company concealed its blackmail payment—the money was paid out to an as-yet-unidentified Florida man through Uber's bug bounty program, now managed by HackerOne. How Uber officials confirmed the deletion of the data has not been revealed, and a number of US senators have asked for an investigation into the breach, citing questions about why Uber failed to contact law enforcement.

Uber's CEO, Dara Khosrowshahi, said in a blog post about the breach that "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," and that no payment data was exposed. But the driver's license data for about 600,000 Uber drivers was stolen, as was contact data for 57 million customers and drivers. "At the time of the incident," Khosrowshahi said, "we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Khosrowshahi said he had only recently learned of the breach and had ordered an internal investigation. Two unidentified security team members at Uber who dealt with the breach were fired.

All-time record

HackerOne's public statistics on the Uber bounty program show that Uber has paid out $1,289,595 in bounties over the life of the program so far, including one for the $10,000 maximum specified by Uber to a UK-based researcher for critical bugs. But there are no public payment details for HackerOne profiles that amount to the $100,000 Uber reports to have paid for the data destruction or any string of bounties to a single person that add up to that amount, so it's clear the payment wasn't made through the public HackerOne program. A former HackerOne official told Reuters' Joseph Menn and Dustin Volz that such a payment would amount to an "all-time record" payment through a bug bounty program.

Casey Ellis, founder and CTO of the bug bounty management company BugCrowd, expressed concern about how a company could pass off a blackmail payment as a bug bounty program without raising concerns or alarms. "From an ethical standpoint," Ellis said, "this development creates confusion and potentially damages the growth of the researcher/vendor relationship—despite the fact that it was clearly an extortion payout, and not a true Bug Bounty payout."

A HackerOne spokesperson told Ars that the company had no comment on the matter. Uber also is not commenting on the Reuters story. But using a bug bounty in this way would not be the first of Uber's ethically questionable (and in some cases legally questionable) technology shenanigans, including creating fake user accounts on competitor Lyft's system to help mine driver and pricing data in an attempt to identify which drivers worked for both Uber and Lyft.



Follow Us on Twitter

Florida $100000 through program with maximum stated payout $10k.

Related stories with Uber used bug bounty program to launder blackmail payment to hacker

The Doomsday Heist Is Nigh For Grand Theft Auto Online -World News
The Doomsday Heist Is Nigh For Grand Theft Auto Online 4 days ago
Rockstar Games has revealed the latest Grand Theft Auto Online co-op heist – The Doomsday Heist, and the fate of all of San Andreas is at stake. A threat from unknown quaters looms, and it's up to you and your criminal cohorts to get in your De
Uber's licence suspended in British city of Sheffield -World News
Uber's licence suspended in British city of Sheffield 4 days ago
Uber's licence to operate in the northern English city of Sheffield was suspended last Friday after it failed to respond to requests about the management of the taxi app, the local authority said.
Honeywell to buy 25 percent of Chinese supply chain software firm -World News
Honeywell to buy 25 percent of Chinese supply chain software firm 4 days ago
Industrial conglomerate Honeywell will take a 25 percent stake in Chinese software provider Flux Information Technology, placing a long-term bet on China's rapidly growing logistics industry.
Democratic US Senator Franken resigns over sexual misconduct allegations -World News
Democratic US Senator Franken resigns over sexual misconduct allegations 4 days ago
U.S. Democratic Senator Al Franken will announce his resignation on Thursday, a day after a majority of his Democratic Senate colleagues called for him to step down following a string of sexual misconduct allegations against him, CNN reported on Thursday,
Ayodhya dispute: Whatever Kapil Sibal said in the court has got nothing to do with the Congress nor with the Sunni Waqf Board, says All India Muslim Personal Law Board member -World News
Ayodhya dispute: Whatever Kapil Sibal said in the court has got nothing to do with the Congress nor with the Sunni Waqf Board, says All India Muslim Personal Law Board member 4 days ago
Though the AIMPLB is not a party in the case, it is overseeing the cases concerning the Muslim side and also bearing the expenses of the legal proceedings.
PS4 Flash Sale Begins On PSN To Celebrate The Game Awards -World News
PS4 Flash Sale Begins On PSN To Celebrate The Game Awards 4 days ago
As in past years, Sony has launched a Flash sale to coincide with the annual Game Awards. Dozens of PS4 games are on sale right now as a result, including many of the year's biggest releases on the platform.As is to be expected from a PSN sale, some of th
Sebastian Vettel plans to 'be wiser' in future Formula 1 seasons -World News
Sebastian Vettel plans to 'be wiser' in future Formula 1 seasons 4 days ago
Sebastian Vettel hopes being "a bit wiser" will help him improve as a driver and add to his tally of four Formula 1 world championships in the future
Porn star August Ames commits suicide after bullying for refusing to have sex with man who did gay porn -World News
Porn star August Ames commits suicide after bullying for refusing to have sex with man who did gay porn 4 days ago
Ames joined the adult film industry in 2013 and steadily rose to prominence mostly thanks to a large following on social media.
Qatar signs deal to buy 12 fighter jets from France -World News
Qatar signs deal to buy 12 fighter jets from France 4 days ago
DOHA: Qatar’s ruling emir and French President Emmanuel Macron signed $12 billion in deals during the French president’s visit to Doha on Thursday, including the purchase of 12 French-made Dassault Rafale fighter jets with the option of buying 36 more
Vinales: I believed I was the man to beat -World News
Vinales: I believed I was the man to beat 4 days ago
MotoGP: "We weren't able to manage the tyres, it's been the toughest year for me mentally-speaking. Valentino? I hope he continues to race for a long time"
Video: G30 BMW M550d xDrive Top Speed Acceleration Run -World News
Video: G30 BMW M550d xDrive Top Speed Acceleration Run 4 days ago
It really is a shame that the US market doesn’t embrace diesel engines. It that weren’t the case, cars like the BMW M550d xDrive would … The article Video: G30 BMW M550d xDrive Top Speed Acceleration Run appeared first on BMW BLOG