Uberhas been hackedand male child does it look spoiled . The hacker , which boast of their achievements via Telegram this week , claim to be an 18 - twelvemonth - old who gained such liberal access to the tech giant ’s net that they were able to post a icon of a peter on one of its internal website .
Uber has n’t said much about its security debacle yet , away from Thursday when itadmittedthat it was experiencing a “ cybersecurity incident . ” On Friday , the troupe also posted abrief updatein which they take that there was “ no evidence that the incident involve access to sensible user information . ”
Online security researcher have been prompt to canvas the installment , parsing what tactical mistakes may have led to the breach , base on the information leaked by the culprit . Granted , everything that the hack has said at this point is only aver and it ’s not exactly exculpated whether they ’re telling the the true or not . However , Gizmodo reached out to several experts to wonder about the hack and get their linear perspective on how this whole thing might have happened .
Photo: DON EMMERT/AFP (Getty Images)
How the Hacker Claims to Have Breached Uber
Like a passel ofrecent intrusionsinto large corporate networks , the ward-heeler of Uber appear to have been accomplished using pretty basic hacking techniques . Indeed , if the perpetrator does turn out to be a teenager , it would mean that one of the biggest tech companies on the planet was just hacked by someone who likely does n’t qualify as more thana script kiddie .
The hacker has been happy to tell everybody how they pose into Uber ’s connection . In statement posted to a Telegram page and inconversationswith the New York Times , the alleged drudge said they tricked an Uber employee into forking over their login credential through a social applied science attack that made them appear to be a colleague . Dave Masson , Director of Enterprise Security at protection house Darktrace , told Gizmodo that this is n’t a particularly sophisticated intrusion method .
“ Based on what the hacker said , they did n’t really ‘ hack ’ their way in , ” said Masson . “ They basically tricked somebody into giving up the multi - factor hallmark item and then walked in the front door . ” These kinds of attack have always been common , but they ’ve turn increasingly prevalent since the pandemic put most companies in a semi - permanent work - from - home status , Masson said .
The attack appear to have allowed the hack to gain access to the exploiter ’s VPN , which provide admittance to Uber ’s corporal meshwork . From there , the cyberpunk allegedly discovered a papers , or “ internal access code portion , ” that included login credentials for other serve and areas of the internet . After that , escalate perquisite into the troupe ’s wide environment would have been relatively comfortable .
A Flaw in MFA
For a long time , we ’ve listen that the certain way to keep our digital lives dependable is to use multi - factorauthentication . MFA authenticates users by forcing them to gift multiple piece of data ( typically from at least two unlike gimmick ) to log into their online report . Yet some pattern of MFA also have an infrequently discussed exposure , which is that they can beeasily out - maneuveredby a hacker who employs social applied science or basicMan - in - the - Middle - style attacks to collect login credentials .
Bill Demirkapi , an sovereign securityresearcher , told Gizmodo that the kind of MFA that Uber seems to have used is not the most safe form . or else , Demirkapi indicate the consumption ofFIDO2 , which bills itself as a “ phishing - resistant ” configuration of authentication . FIDO2 is a web authentication mechanism that , unlike more standard form of MFA , verifies that the descent of the MFA prompt come from the real login server , Demirkapi said . “ If an attacker created a fake login page and prompted for FIDO MFA , the U2F twist would n’t even respond , preventing the authentication from keep on , ” he added .
“ stock forms of multi - factor authentication such as push notifications , text substance , OTP [ one - time - password ] , etc . do protect against attackers that only have an employee ’s credentials , but often not against phishing , ” he said .
Problematically , phishing a user of standard MFA can be accomplished jolly easily using widely approachable web tools . Demirkapi refers to one such tool , called “ Evilginx , ” which can be get at for free online . An assailant can use a tool like this to produce a fake login page that search superposable to the real one . If they convert a victim to visit the phishing page , the attacker ’s server can “ replicate a connection to the actual login waiter ” so that everything the victim enters is but relay to the aggressor .
“ A dupe can enter their certificate , the attacker logs it , and then the attacker place the login request to the real host , ” said Demirkapi . “ Once the victim is prompted for “ standard MFA ” , there is no check done to verify that the victim is actually on the real login Sir Frederick Handley Page . The dupe accepts the prompt , the literal server sends the attested biscuit for the victim to the attacker server , and the attacker logs and relays this to the victim . It ’s a seamless process that allows the assaulter to capture the victim ’s certificate , even with common grade of multi - factor authentication , ” he articulate .
Is User Data Safe?
One lingering question about this incident is whether exploiter data may have been affected . On Friday , Uber releaseda statementthat allege that there was “ no grounds ” that the cyberpunk had access “ sensible drug user data ( like trip account ) . ” However , the caller has n’t exactly provided much context for what that means . surety experts that speak with Gizmodo say that ( given the broad get to the hacker appears to have larn ) it was surely possible that they could have viewed drug user data .
“ Is it possible ? for sure , ” allege Demirkapi . “ In fact , some screenshots that the attacker did leak appear to show limited access to customer information . This alone does not think of much , however , because what really matters is the extent to which the assaulter reach access to client info . ” That extent , obviously , is unknown .
Masson likewise concord that it was possible . “ We do n’t have it away that yet , but I would n’t be surprised if that turned out to be the case , ” he said , point to the 2016 hack that touch the party . In that particular case , the impact was quite speculative . Hackers stole the personal information ofsome 57 million Uber users . The company failed to let on the incident and secretly paid the cybercriminals to delete the data .
For now , the more pertinent question for Uber may be what form of dirt the hack discover on the rideshare company’sbusiness practicesand whether they would even make out what to take care for .
Computer securityHTTP cookieTelegram
Daily Newsletter
Get the best technical school , science , and culture news in your inbox daily .
word from the future , surrender to your present .
You May Also Like
