Skip to main content
Articles

Attack Uber Exposes Code Sharing Vulnerability

By November 24, 2017#!28Thu, 28 Feb 2019 10:45:09 -0300p0928#28Thu, 28 Feb 2019 10:45:09 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:45:09 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:45:09 -03004510452amThursday=904#!28Thu, 28 Feb 2019 10:45:09 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:45:09 -0300p0928#/28Thu, 28 Feb 2019 10:45:09 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:45:09 -0300pAmerica/Sao_Paulo2#No Comments

Jeremy Kahn
Bloomberg 11/23/2017 & #8211; 4:19 pm

Data breach at Uber Technologies contains a lesson for software developers who use third-party services to store and share code: be careful what you share.

Services like Github, GitLab, and SourceForge, based in San Francisco, are used by developers to collaborate on projects, track code errors, and distribute early versions of applications. They are also targeted by cyber thieves.
Uber lost records of 57 million customers and drivers when hackers were able to access a password protected area of Github, one of the world's most popular code repositories. This had also happened before.

“Code repositories can be very problematic,” said Chris Boyd, an analyst with cyber security company Malwarebytes. Many companies take a long time to remove login details from these storage services when developers leave.

Earlier this month, a security researcher found that software developers for Chinese drone maker SZ DJI Technology had left passwords private to their Amazon Web Services cloud accounts and all company websites in publicly posted code on Github. .

In 2014, hackers found a login password left in the codes that Uber developers publicly placed on Github, which resulted in theft of data from 50,000 Uber drivers. The private transport company sued Github in 2015 to force it to deliver information about users who might have accessed the site where the code originated.

Edwin Foudil, a security researcher who uses the pseudonym EdOverflow, said many companies mistakenly include passwords and private keys in the code they post to storage services.

It's incredibly common, Foudil said, adding that some developers assume their code is safe when in a password-protected area. & #8220; They consider the repository to be private, but this is not a good practice.

Hackers looking for vulnerabilities constantly scan publicly posted codes on Github for passwords and private encryption keys that developers have made visible, he said.

Github declined to comment on individual accounts when asked about the latest Uber attack. The company said it advises users to never store access tokens, passwords, or other authentication or encryption keys in & #8221 codes. If developers need to include these items, they should use additional security procedures to prevent unauthorized access or misuse.

The hacking attack on Uber is unlikely to deter the use of code sharing services. Many companies use these repositories to store and share code among programming teams around the globe. Web sites help companies control which versions of software their programmers are working on.

Sjoerd Langkemper, a security expert in the Netherlands who does web application penetration testing, said there are still good reasons to use these sites.

Storing your code in a GitHub private repository is like storing documents in Google Drive: it's a little less secure than storing them on your hard drive, but for many the benefits outweigh the additional risk, he said.

Leave a Reply