• Background Image

    Uber has an account security issue and it seems they want to ignore it

    November 27, 2016

November 27, 2016

Uber has an account security issue and it seems they want to ignore it

:: updated Dec 6, 2016 (see end) ::

Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk. This was brought further to my attention today when we were able to gain access to another rider’s account using a simple password reset.

[hr]

Summary

  • Received over 200 emails from Uber trips completed in Kenya (we live in Australia)
  • Uber support fails to resolve the issue of a non-verified email account
  • We’re able to take control of the rider’s account using a simple password reset

[hr]

Since July my partner has received over 200 messages in her Gmail account addressed to a rider in Nairobi, Kenya who sometimes completes trips several times a day. We live in Brisbane, Australia.

Uber account security issue - rider data

Uber Kenya Trip emails received

After being told by Uber’s Support that they are no longer willing to assist with the problem, we were able to login to the Kenyan rider’s account and view their personal details including:

  • full name
  • phone number
  • payment method
  • detailed maps of every trip they have taken since they started using the service, thus we can infer with high probability their home address and common travel destinations.
Uber account security issue - rider account details

Rider’s account details

 

How were we able able to do this?

By simply going to uber.com requesting a password reset. The only difference we made when doing this, was omitting the period my partner usually uses with her Gmail email address. Since Google does not differentiate Gmail email addresses with periods or letter case (an issue we highlighted multiple times with Uber support) we received the automated email to reset the password. We were instantly able to set a new password and login using the email address sans period, and the new password. We now have complete control of this user’s account in Kenya.

Uber account security issue - rider dataRider’s trip history

Uber support experience

Uber’s account policy not requiring a verified email address upon signup means anyone could mistakenly add an incorrect Gmail address to their rider account, which opens them up to this simple to execute privacy breach.

Uber’s help page suggests that they take security seriously, but the support experience tends to suggest otherwise. At first the constant barrage of emails was annoying, and we could have filtered the Uber Kenya emails straight to the Gmail Spam folder and moved on. However, it was the blatant security issue that prompted the ongoing back and forth dialogue with multiple people at Uber support, which has led to the writing of this post after we were able to gain another rider’s account so easily.

After countless emails over the past five months, Uber support have suggested filtering the emails to Spam (this will not solve the security issue) and even acquiring a new email address, which is frankly a ridiculous suggestion for a customer your company would likely wish to retain.

uber-issue-06

After this frustration, I decided we had to speak to someone locally. I searched LinkedIn for Uber staff located in Brisbane and connected with a few of them. I messaged Jess, from the Community Operations team who was responsive and keen to help, even while she was away from the office on leave. Jess forwarded the message to someone who would look into it, and after a few days the Kenyan completed trip emails stopped appearing.

A couple of weeks later, the emails started again, so we made again reached out to support unable to get any response. Again we had to message Uber staff via LinkedIn messages to restart communication. At this stage, Uber didn’t want to deal with the issue again and sent these messages suggesting to take the issue up with Google.

Uber account security issue - support response

After a brief response from us, support have marked the case ‘Resolved’, and reiterated they are not willing to help further, which they could simply do by reaching out to the Kenyan rider to ensure their email address is correctly verified.

Uber account security issue - support response NOT resolved

 

What does this mean now?

I have the ability to access to someone else’s account and private data, Uber needs to understand the issue here that there are likely many other similar cases that could occur with malicious intent, hence making this support case open for public viewing.

Uber’s support have ‘resolved’ the case, while another rider’s account security still remains compromised.

I welcome comments below and hopefully this gets to someone at Uber who either knows or cares enough to follow it up appropriately.

Update:

After referring Uber support to this article they deleted the other user’s account we had managed to access. I’m glad they did this as I felt uneasy having that access, however they’ve simply left it at that, and it is unlikely that any actual followup will occur with regards to how they manage their rider’s security. A shame, but not really surprising at this point.

16 Comments
  • Daniel, December 7, 2016 Reply

    Great write up. Unfortunately this is not surprising, and seen all to often. I for one have others register accounts using my email address on a regular basis. The users that use my accounts simply validate their accounts via other means, such as their mobile number, or no validation is required at all.

    I'm conflicted on who owns responsibility in these instances.

    On one hand, if Person A uses the email account of Person B (yourself) to avoid using their own email account, they invite ownership re-homing. I feel a reasonable amount of ownership when my email address is used, and i promptly reset 'my' password. Person A should find the magic of a dummy email address. Indeed it's not that hard. If Person A doesn't, if they use the account of Person B, account ownership, personally, becomes quite grey.

    I always use my identity, my details, when i register to use services, just as i would a gym membership. Why do we find it acceptable to be dishonest online? We shouldn't, it's unacceptable. But it happens... I feel no pity for these people though, and I hold the company with very little responsibility in most instances. It's akin to logging into a banking account at an internet kiosk, and leaving the console unlocked whilst going to the bathroom.

    Customers have responsibility for their actions.

    On the other hand, these systems can hold data that could put Person A at risk; such as financial, reputation, or safety loss. In these instances I do firmly believe that greater ownership should be held by the provider. In Uber's example, Person A's safety is at risk, as is their financial position. You know where they live, and a temporary Visa card could readily harvest their earnings. If more publicly known, this could be exploited more often than it is today.

    It's simple, password recovery should ALWAYS require validation via the same means as the original registration, and registration verification shouldn't be a discussion point within application design. Security questions, whilst having their weaknesses, also provide an alternate 'shared secret' that can be used for the same process. In any instance, it shouldn't be a 'click once' process to take account ownership as you have in this instance.

    In this instance, I call mutual responsibility. Uber need to up the ante on their controls, and their customer service.

    Dan.

  • hiphop greats, March 8, 2017 Reply

    I precisely hhad to appreciate you all over again. I'm not certain the things that I would have taken care of without the entife secrets provided
    by you directly onn such situation. It truly was a real hqrd case in my circumstances, but observing
    your specialized manner you treated thhe issue made me to cry for
    happiness. I will be happy for this assistance and in addition pray you know wat aan amazing job
    that you're undertaking educating the others through
    your web site. Most probably you haven't encountered
    any of us.

  • SEO UK, March 9, 2017 Reply

    Ⲏelⅼⲟ I am ѕo grateful I fоund үour webpage, I гeally found you by error, while I was researcching ⲟn Bing foг something else, Anyways
    I am here noow and woulɗ just ⅼike to saү thankѕ for a tremendous post
    and a all round intᥱresting blog (I ɑlso love thee theme/design), Ι don't havе tіme to гead through it аll att thе minute Ьut I havе
    book-marked іt and alsо added your RSS feeds, ѕߋ when I hage
    time I wіll Ƅe back to reaɗ а lot more, Plᥱase ԁo keeр up the awesome job.

  • cheap flyer printing nottingham, March 12, 2017 Reply

    May I simply say what a relief to discover someone thhat truly understands wyat they're talking about online.
    You detinitely realize how to brng a problem to light aand make it important.
    More people need to read this and understand this side of the story.

    It's surprising you aren't more popular given thqt youu surely possess the
    gift.

  • spring bedroom designs, March 17, 2017 Reply

    Hi Stoill, that is lovely Hub; I used to be searching for some indoor crops to purify
    the air.

  • performance analyst salary nz, April 4, 2017 Reply

    The returns are not assured however linked to the efficiency of the underlying assets corresponding to equity or debt.

  • togel indonesia, April 14, 2017 Reply

    Hey there, I think your website might be having browser compatibility issues.
    When I look at your blog site in Chrome, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that,
    awesome blog!

  • quero ganhar massa muscular rapido o que devo tomar, May 12, 2017 Reply

    FIGO cicatriza úlceras dentre buchada e também duodeno,
    tal como úlceras varicosas nas pernas.

  • curso forex gratis portugues, May 12, 2017 Reply

    Miseros percentuais desde 466 % u loooooooco, 100M , junto a descontos e taxas praticadas hoje nas
    corretoras você possuem granjeio (=ou-) desde R$.13.000,00 meréis
    bem como assim mesmo menos experienciar que anunciar em relação a a receita pq vc
    acarretou uma comércio

  • the best baby gates, June 9, 2017 Reply

    Lindam safety gate for doorway or even stairs.

  • wholesale nfl jerseys, July 8, 2017 Reply

    Hmm it appears like your website ate my first comment (it was extremely long) so I guess I'll just sum it up what I submitted and say, I'm thoroughly enjoying your blog.
    I too am an aspiring blog blogger but I'm still new to the whole
    thing. Do you have any tips for first-time blog writers?
    I'd really appreciate it.wholesale nfl jerseys

  • sextante.info, July 15, 2017 Reply

    There are basically millions of game, video,
    movies and music to choose from. Micro drive mp3 players have rather more space for storing than flash memory gamers, varying
    from 5 GB to 10 GB. If we think about the fact that the
    common size of a melody is three MB, it outcomes that precise flash memory players can retailer
    between 80 and 1200 melodies.

  • https://hanoitransfers.info/, August 6, 2017 Reply

    If that's not sufficient, the Dallas Arboretum will celebrate 12 Days
    of Christmas with 500,000 twinkling lights.

  • Clearwater Dental, September 16, 2017 Reply

    Please let me know if you're looking for a author
    for your site. You have some really great posts
    and I think I would be a good asset. If you ever want to take some of the load
    off, I'd love to write some material for your blog in exchange
    for a link back to mine. Please blast me an email if interested.
    Many thanks!


Leave A Comment

Leave a Reply