Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem. Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub. GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.
Only one tinsy, weensy problem.
This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.
Now Uber is trying to get GitHub to tell them every single person who accessed that code. I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.
This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted. Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.
Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).
A similar search for WordPress came up with 2,000,000 matches.
While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords. For obvious legal reasons, ars did not try to log in to any of those servers.
Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.
20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.
This search was hardly exhaustive and GitHub is only one such public repository.
THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.