After hacked Uber accounts appeared for sale on the dark web for as little as $1, victims in both the United States and United Kingdom have complained of fraudulent trips being made on their accounts, often racking up hundreds of dollars worth of bills. Now, one hacker has shown Motherboard how those accounts may have been broken into.
It started with a thread on an account cracking forum, written in December 2014. This advertised a configuration file that, when combined with an account cracking program, helps hackers break into accounts on websites. The configuration file tells the cracking program how exactly to interact with a specific website, so different login attempts can be made as quickly as possible.
The hacker who alerted Motherboard to the thread, who used the screen name “Aaron”, explained how this process worked. First, a hacker will get hold of any of the myriad data dumps of email and password combinations that are circulated in the digital underground. This list of login details will then be loaded into a computer program along with the Uber website configuration file. From here, the program will cycle through all of the login credentials and try them on the Uber website, in the hope that they have also been used to set up an Uber account.
Using the same email and password on multiple services appears to be the root of these hacked accounts.
“It’s basically checking a database dump/account list against a certain website and displaying results,” Aaron told Motherboard over encrypted chat.
Aaron then demonstrated this process, and had accessed an Uber account within minutes. He tested 50 email and password combinations sourced from a leak of a gaming website, and two worked successfully on Uber. Aaron claimed one of these was a rider’s account, and he then sent several censored screenshots of the user’s trip history and some of their credit card details.
Using the same email and password on multiple services, which is generally considered to be a bad security practice, appears to be the root of these hacked accounts. During previous reporting, victims told Motherboard that they used the same password on other sites as they did on Uber.
This latest finding supports Uber’s previous claims that its own systems were not breached. Uber did not immediately respond to a request for comment.
“Uber is at fault too for not having simple scripts that could delay or totally prevent the attackers from making a [configuration file] which would crack accounts on their website,” Aaron said.
Ryan Lackey, product manager at CloudFlare, a website protection company, elaborated. “A CAPTCHA [a small test that humans can pass but computers typically cannot] is a good way to restrict large numbers of attempts to check passwords,” he wrote in an email. “But it also degrades the user experience. You need to think carefully about when they’re appropriate, especially on mobile—if Uber threw up a CAPTCHA when I booked a car, I’d probably switch to Lyft.”
Lackey didn’t think that Uber should be blamed. Instead, he said, “The real fault here is platform vendors and the security industry as a whole for not providing better user authentication options in an easy-to-use way for mobile app developers.”
One possible solution would be “a hidden device-specific key,” which would mean that only a user’s registered phone could order an Uber taxi. In short, Lackey said, “You really need something better than passwords to authenticate users.”
In the end, Lackey feels, “Clearly the most at-fault party here are the criminals going after the accounts.”
Update 05/04/2015: Uber responded with the following comment: “Keeping our systems secure is a priority and an ongoing effort at Uber. We use a variety of technical controls to do this and are always adding additional mechanisms to enhance security.
As we have stated previously about this specific report: we investigated and found no evidence of a breach, and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”