Uber hacked by teen who annoyed employee into logging them in - report

Uber employees trying to access internal webpages were taken to a page with a pornographic image and the message "F*&% you wankers."

The logo of car-sharing service app Uber on a smartphone (photo credit: REUTERS/SERGIO PEREZ)
The logo of car-sharing service app Uber on a smartphone
(photo credit: REUTERS/SERGIO PEREZ)

A teen hacker has alleged to have hacked into Uber systems by annoying an Uber employee with repeated push notifications asking the employee to approve their login.

The New York Times first reported the hack on Thursday, writing that the company had to take several of its internal communications and engineering systems offline while it investigated the hack.

The alleged hacker sent the Times and cybersecurity researchers images of the email, cloud storage and code repositories. Screenshots of Telegram conversations reportedly with the alleged hacker have been published as well.

On Friday, Uber stated that its investigation and response efforts were ongoing and that it had no evidence that the hacker accessed sensitive user data. The company added that all its services were operational and that it was bringing all the internal software tools it had taken down back online.

The hacker reportedly claimed that he had spammed an Uber employee with push notification login requests for over an hour before contacting him on WhatsApp while claiming to be from Uber IT and telling him that he would need to accept the request if he wants them to stop.

The employee then accepted the request, allowing the hacker to log in to the employee's account and access the company's internal servers.

 Cyber attack (credit: INGIMAGE) Cyber attack (credit: INGIMAGE)

Security researcher Bill Demirkapi explained in a tweet that while multi-factor authentication methods, like push login notifications or text messages with codes sent when users try to log in, can protect accounts, an attacker can set up a fake domain that sends Uber's real login page but directs users to the fake domain.

After the hacker gained access, Uber employees using the Slack messaging service received a message reading "I announce I am a hacker and Uber has suffered a data breach.”

An Uber employee told Sam Curry, a staff security engineer at Yuga Labs, that many employees thought it was a joke.

Curry tweeted that the attacker had posted screenshots showing themselves as full administrators on Amazon Web Services and Google Cloud Platform services used by Uber.

Curry added that one Uber employee told him that employees had gotten an email from IT to stop using Slack and that whenever they tried to request an internal webpage they were taken to a redacted page with a pornographic image and the message "F*&% you wankers."

The attacker stated in Telegram messages shared by Corben Leo, who finds vulnerabilities in the company's programs, that he found programming scripts that contained the usernames and passwords of an administration user in the company's internal server.

The Group-IB cybersecurity company explained in a Twitter thread that it had noticed two log files in a screenshot shared by vx-underground that they were able to identify as logs from files sold on an underground marketplace.

The logs were put up for sale just days before the Uber hack was reported and contained authorization data for an identity and access management provider used by Uber. Group-IB added that the attacker could have purchased logs in order to find accounts with privileged access to the target.

Not the first time Uber has been hacked

In 2016, hackers stole the personal data of 57 million customers and drivers from Uber, with reports revealing the breach a year later. The company paid the hackers to delete the data.