Naked Security Naked Security

Lyft: It wasn’t our CTO who cracked Uber’s database

Uber's sleuthing didn't reveal the hand of Lyft's CTO in the cookie jar, but an unidentified party at his IP address allegedly eyed the key.

lyft logo1

Imagine you’re the CTO of a company in the red-hot market of ride-sharing.

One day, you read some very interesting news: it seems that a cyber intruder got their hands on a login key belonging to your biggest rival and used it to access an internal database to download the records of its drivers.

It turns out that the company itself leaked a database login key, onto the code-sharing platform GitHub, and nobody noticed until months had passed and 50,000 records – including names and driver license numbers – had been slurped.

“No, they didn’t,” you’d probably think. Then you well might go take a look at that source code, after which you’d come away shaking your head, muttering “They did!

Of course we’re talking about Uber, who’s been sleuthing to try to find the culprit who breached its drivers database in May 2014.

The company didn’t find out about the breach until September of that year and admitted, finally, to the breach in February 2015 – leaving its drivers in the dark for months without telling them their information had been breached.

On the same day it announced the breach, Uber said that it had filed a lawsuit to get the power to “gather information to help identify and prosecute this unauthorized third party.”

Well, it’s been gathering information, all right, and while that sniffing around hasn’t exactly led to Lyft CTO Chris Lambert’s hand in the cookie jar, it seems as though an unidentified party associated with the IP address of Lyft’s tech chief has been eyeing that cookie jar.

The lawsuit Uber filed is what’s known as a “John Doe” because while the defendant is unknown, Uber said that the legal action would allow it to gather information to identify the guilty party.

At the same time, Uber filed a subpoena to force GitHub to release a trove of data Uber claimed will help it track down those responsible.

All of which gets us back to that IP address associated with Lambert.

Two anonymous sources alleged to Reuters last week that one of the IP addresses that viewed the leaked database key had been traced back to a Comcast broadband account belonging to Lambert.

That doesn’t mean that Lambert, or rather, his IP address, is suspected of being responsible for the breach.

According to Uber’s court papers, Lambert’s IP address isn’t the one from which the intrusion was launched; rather, an unidentified person using a Comcast IP address had access to the security key used in the breach.

Reuters’ sources said that the attack was launched by someone using a virtual private network (VPN) service based in a Scandinavian country that has a reputation for strenuously guarding its users’ privacy.

In a statement sent to The Register on Thursday, Lyft denied that its employees were guilty of any wrongdoing:

Uber allowed login credentials for their driver database to be publicly accessible on GitHub for months before and after a data breach in May 2014.

We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber's May 2014 data breach.

I echo The Register in considering the timing of the Reuters report to be rather interesting, coming as it did a few hours before Lyft announced major partnerships: Shell’s giving its drivers fuel discounts, and it’s arranging for people who rent Hertz cars to be able to also be Lyft drivers.

Now, regarding Lambert having possibly looked at Uber’s database key, what say ye: if he did look at the key, was that irresponsible, or completely understandable?

The commenters on The Register’s article have some interesting thoughts on the matter:

as2003
If I was CTO of Lyft, and I read the news that Uber had put their codebase on GitHub, of course the first thing I'm going to do is git clone that repo. It would almost be remiss of him not to. It's quite possible he picked through the code and didn't even realise the database key was in there.

Crazy Operations Guy
I would too, but that is also why I'm not a CTO. A C-level employee is essentially the physical embodiment of the company, their actions must reflect the ideals of the company they are part of. The difference between an executive and an employee is similar to that of a head-of-state versus a private citizen. A citizen could walk into a strip club because they are curious about it, but if the president were to do such a thing, he'd be facing months of bad press, numerous calls for impeachment, and endless inquiries into their actions.

Readers, what would you have done: looked at the key, or consulted with your company’s legal counsel? Please share your thoughts in the comments section below.


Image courtesy of lyft.com