Uber has an account security issue and it seems they want to ignore it
November 27, 2016
November 27, 2016
:: updated Dec 6, 2016 (see end) ::
Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk. This was brought further to my attention today when we were able to gain access to another rider’s account using a simple password reset.
- Received over 200 emails from Uber trips completed in Kenya (we live in Australia)
- Uber support fails to resolve the issue of a non-verified email account
- We’re able to take control of the rider’s account using a simple password reset
Since July my partner has received over 200 messages in her Gmail account addressed to a rider in Nairobi, Kenya who sometimes completes trips several times a day. We live in Brisbane, Australia.
After being told by Uber’s Support that they are no longer willing to assist with the problem, we were able to login to the Kenyan rider’s account and view their personal details including:
- full name
- phone number
- payment method
- detailed maps of every trip they have taken since they started using the service, thus we can infer with high probability their home address and common travel destinations.
How were we able able to do this?
By simply going to uber.com requesting a password reset. The only difference we made when doing this, was omitting the period my partner usually uses with her Gmail email address. Since Google does not differentiate Gmail email addresses with periods or letter case (an issue we highlighted multiple times with Uber support) we received the automated email to reset the password. We were instantly able to set a new password and login using the email address sans period, and the new password. We now have complete control of this user’s account in Kenya.
Uber support experience
Uber’s account policy not requiring a verified email address upon signup means anyone could mistakenly add an incorrect Gmail address to their rider account, which opens them up to this simple to execute privacy breach.
Uber’s help page suggests that they take security seriously, but the support experience tends to suggest otherwise. At first the constant barrage of emails was annoying, and we could have filtered the Uber Kenya emails straight to the Gmail Spam folder and moved on. However, it was the blatant security issue that prompted the ongoing back and forth dialogue with multiple people at Uber support, which has led to the writing of this post after we were able to gain another rider’s account so easily.
After countless emails over the past five months, Uber support have suggested filtering the emails to Spam (this will not solve the security issue) and even acquiring a new email address, which is frankly a ridiculous suggestion for a customer your company would likely wish to retain.
After this frustration, I decided we had to speak to someone locally. I searched LinkedIn for Uber staff located in Brisbane and connected with a few of them. I messaged Jess, from the Community Operations team who was responsive and keen to help, even while she was away from the office on leave. Jess forwarded the message to someone who would look into it, and after a few days the Kenyan completed trip emails stopped appearing.
A couple of weeks later, the emails started again, so we made again reached out to support unable to get any response. Again we had to message Uber staff via LinkedIn messages to restart communication. At this stage, Uber didn’t want to deal with the issue again and sent these messages suggesting to take the issue up with Google.
After a brief response from us, support have marked the case ‘Resolved’, and reiterated they are not willing to help further, which they could simply do by reaching out to the Kenyan rider to ensure their email address is correctly verified.
What does this mean now?
I have the ability to access to someone else’s account and private data, Uber needs to understand the issue here that there are likely many other similar cases that could occur with malicious intent, hence making this support case open for public viewing.
Uber’s support have ‘resolved’ the case, while another rider’s account security still remains compromised.
I welcome comments below and hopefully this gets to someone at Uber who either knows or cares enough to follow it up appropriately.
After referring Uber support to this article they deleted the other user’s account we had managed to access. I’m glad they did this as I felt uneasy having that access, however they’ve simply left it at that, and it is unlikely that any actual followup will occur with regards to how they manage their rider’s security. A shame, but not really surprising at this point.