How Uber social engineering hack compromised Uber’s Hackerone bug bounty reports

secblogs
2 min readOct 30, 2022

--

Person holding smartphone with uber app opened
Photo by freestocks.org: https://www.pexels.com/photo/person-holding-smartphone-34239/

Uber faced another security breach in its network on the 15th of September. Just hours later Uber confirmed this by posting a tweet that they were responding to a security incident after a breach in their internal networks.

Allegedly the attack was said to be performed by an 18-year-old hacker affiliated with the Lapsus$ hacking group which has been gaining a lot of notoriety lately by using the same tactics to attack big companies like Microsoft, Nvidia, and even popular video game developer Rockstar games.

The attack began with the hacker spamming multiple 2fa authorization requests to the uber employee and finally, the employee yielded and approved the request. A social engineering tactic that has been proven to work now and then.

Once the hacker was in he found an internal network share with PowerShell scripts that had admin credentials which later led to access privilege escalation on the organization’s gsuite, slack, and other internal systems.

The hacker then proceeded to send a message on one of Uber’s company-wide slack channel with the following message

“I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”

Employees also reported seeing graphic images on some internal sites which were linked to the hack. The hacker continued to escalate impact by compromising Uber’s Hackerone dashboard which gave him access to all of Uber’s resolved and unfixed security bug reports.

This information could be very juicy to hackers as it could reveal working exploits against Uber systems.

The Uber cyber security team responded fairly quickly to this incident.

Here are the steps that were taken to remediate the breach

  • Uber blocked employee accounts that were compromised and required them to reset their passwords.
  • They disabled most of the compromised internal tools.
  • They rotated keys to internal services.
  • They locked down their code base.
  • Enforced multi-factor authentication (MFA) policies

Uber later came out with an update stating that the hacker accessed nothing impactful in terms of user data. So you can sleep tonight if you use Uber.

--

--

secblogs
secblogs

Written by secblogs

Knowledge is power. Information is liberating. Education is the premise of progress.

No responses yet