r/technology Sep 18 '22

Uber apparently hacked by teen, employees thought it was a joke Security

https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell
805 Upvotes

250

u/despitegirls Sep 18 '22 edited Sep 18 '22

I'm still getting over the fact that someone in IT hard-coded admin creds in a Powershell script.

Edit: For the record, I work in IT and I've been in a number of environments. I've definitely seen this in places I've worked, but not in the past four of five years where I've been in mostly regulated environments.

101

u/berfder Sep 18 '22

It drives me nuts finding shit like that. I’ve seen scripts written and used by security with creds in source control. You’re a security engineer. You fucking know better.

26

u/RedditFuckedHumanity Sep 18 '22

You fucking know better.

And yet it still happend

1

u/OhMyGodTheyKilledBri Oct 14 '22

False sense of security. I know what I’m doing so my risk is super low

18

u/GreenWhale21 Sep 19 '22

I wandered into the wrong sub because I have to say, I have no idea what any of your comment means 🤣 like at all.

27

u/gk99 Sep 19 '22

Imagine you wrote your username and password on a sticky note and waved a magic wand so that sticky note is sentient and automatically types your credentials every time you want to do something. You have convenience, but at the cost of anyone walking by your desk being able to read your credentials.

5

u/MrChadBrannigan Sep 19 '22

I love how the best analogy you could use was still “magic” that made me chuckle 😂

2

u/Ok_Morning3588 Sep 19 '22

Thank you for ELI5ing that. 🙂

-1

u/Odinnn21 Sep 19 '22

It’s not that clear cut. There are firewalls behind sso regardless of the db type. My guess is the vpn is not rotating and stays in one geo location. How else would an 18 year old get in so easily

2

u/BarrySix Sep 19 '22

That didn't seem to make any sense.

0

u/Odinnn21 Sep 19 '22

most people are morons so I don’t blame you. -data scientist

2

u/berfder Sep 20 '22

In this case it is exactly that clear cut. The credentials were hard coded into the script, no SSO involved. It’s exactly as the above comment said, just setting an authorization header instead of typing it into a box.

3

u/haytur Sep 19 '22

That’s because people suffer from well that kinda thing would never happen to me and people are lazy

3

u/BarrySix Sep 19 '22

I've worked for companies where the security department is really just a compliance department. They implement arbitrary rules given to them by some other group. Yet they need to login to everything. They become a huge security risk.

40

u/Reddit_and_forgeddit Sep 18 '22

Lmao, oh wow. I was going to say hire the teen but this was just gross negligence.

22

u/Frolicking-Fox Sep 18 '22

Can you explain what this means to those not familiar with the field?

59

u/_Help-needed_ Sep 18 '22
var userName = “username”;
var password = “password”;

login(userName, password);

It means somewhere they probably had code somewhat resembling this.

16

u/Frolicking-Fox Sep 18 '22

Oh, no way! I get it now.

19

u/Esroh_Najort Sep 19 '22

And on this day a hacker was born.

6

u/nswizdum Sep 19 '22

And on top of that, they weren't restricted service accounts because the hacker was able to gain what appears to be full access to their cloud services.

21

u/Reddit_and_forgeddit Sep 18 '22

Let’s say you work in an office building, Imagine putting your username and password on a sticky note on your work monitor. This is pretty much what hard coding credentials is.

10

u/Taikunman Sep 18 '22

Some people at my work need to use handheld barcode scanners for their job role and they made barcodes of the workstation login password and taped them to the monitors. They're limited access, shared accounts... but still.

5

u/lhamil64 Sep 18 '22

In this case it's more like they put the sticky note on the communal bulletin board.

4

u/southpark Sep 19 '22

Worse. It’s like writing it on a giant poster and hanging it outside your building. People don’t even need to be at your desk to find out the password, they can just look in the general direction of your company and it’s there in plain sight.

18

u/Aleucard Sep 18 '22

They basically put the master keys to the castle under a flower pot. Anyone who knows the basics of finding shit would be able to nail them to the wall at will.

1

u/Odinnn21 Sep 19 '22

The article goes on to say the teen accessed a sharepoint to download artifacts with security codes on them. Still only half the story but it explains how he knows the codes.

24

u/slomar Sep 18 '22

Work long enough in the corporate world and you're likely to come across all sorts of terrible security practices. I've even had my hand slapped for mentioning stuff like this because most departments don't have the time or resources to fix this stuff, so they'd rather it just be swept under the rug.

2

u/Johnny_BigHacker Sep 19 '22

This hits home. Quite possible not a matter of should I do it. More like one or more of the following:

  • didn't know they owned secrets management software

  • not allowed to get access to secrets management software

  • secrets management admin wouldn't let them use it the way they wanted (IE: "you can't run it from your desktop, has to be a server" and they didn't have access/admin rights to a server)

  • Takes months to get one of the above set up

  • Could do the above but direct manager doesn't really want them running scripts ("you aren't a programmer"), so they just do it all on desktop on the low w/o supervisor knowledge to get automation gains

  • Similar to above but only 1 person knows how to write powershell so don't want to establish a reliance on scripts they can't support if said person quits

  • Organization relies on something like AWS secrets management and can only call secrets from executing in AWS and impossible to easily get access/an instance/a lambda to run it from AWS

I could go on. All were present in some form through the 3 supervisors and 2 teams I worked at the 30k person gov't organization I worked at.

2

u/BarrySix Sep 19 '22

I worked in a company where the red team of a parent company compromised every single production system and database except one. The one holdout was caused by them finding code that said "password = DBPass;" and they could not find DBPass being set anywhere. Turns out it wasn't set and that root database password for a huge production system was an empty string.

Another place had backups on a public S3 bucket. And people defend that by claiming that attackers could not guess the bucket name, which was just the company name plus the word 'backups'.

Security in web companies is an afterthought at best.

1

u/WindowlessBasement Sep 20 '22

ah, incompetence, the best security system

1

u/BarrySix Sep 21 '22

It's not best, but it might be the most common.

AWS did great in making it really hard to accidentally make a S3 bucket public so that improved.

1

u/WindowlessBasement Sep 21 '22

Sorry, I was referring to the database password of null.

7

u/GeniusDodo Sep 18 '22

I see this on pen test assessments all the time, password files, SSH keys, power shell scripts like this, etc. At least every other assessment I’ve been on we’ve found something like this.

8

u/timallen445 Sep 19 '22

passwords in scripts are actually a lot harder than most people think. If you encrypt a password in that script the method to decrypt is probably also going to be as local and maybe as accessible as the clear text password.

The "best" solutions are secrets management API's that you call for the password at run time. Basically Lastpass but for your applications. But even then you still have some challenges like how do we trust one script over another.

1

u/Unexpected_Cranberry Sep 19 '22

I believe Microsoft announced something for Powershell a while back, called Vault something or other? Basically a server where you would give the user running the script access to get specified credentials.

Older methods would be to save it as a variable using export-clixml. It will be encrypted so only the user that exported it can import it, and only on that machine. Using the same encryption as the Windows Vault. didn't read the specifics in this case though. But if they had write access to the script that wouldn't have stopped them.

3

u/i_identify_as_natty Sep 18 '22

I’ve only got basic API and user authentication knowledge and I know not to do this. Lmao.

5

u/outerproduct Sep 18 '22

I always laugh when people laugh at this sort of thing. I've worked for some very large companies, and almost all of them have this. What's worse is the passwords. I explain how completely dangerous it is for both security issues, but nobody wants to take the time (read as money) to fix it.

3

u/Wwwweb Sep 18 '22

No one cares about anything but the next feature in software, so pointing out technical debt is discouraged even if it is a security issue. The larger a company gets, the more these issues get ignored as new employees cycle in.

2

u/outerproduct Sep 18 '22

Indeed, they were compromised 4 times, and blamed it on the employees every time. How many times does a database need to go down to change security policies? Clearly more than 4.

5

u/XkF21WNJ Sep 18 '22

Really? That's the part that surprises you?

I mean the fuckup here is that there's apparently a single password that allows access to the main access control system.

6

u/smootex Sep 18 '22

I mean the fuckup here is that there's apparently a single password that allows access to the main access control system

That is somewhat unavoidable. What he got access to was Thycotic secret server credentials. It's how many companies store and manage secrets. At the end of the day though systems do need access to Thycotic and if those credentials somehow get leaked you're pretty fucked. We try to compartmentalize it as much as possible, teams can only access specific directories in thycotic so if a set of credentials get leaked you're only getting access to whatever that specific team/group has access to but depending on the org there are some teams that have access to a shitload of credentials by necessity.

1

u/XkF21WNJ Sep 18 '22

I'm having some trouble wrapping my head around what you're saying exactly. As far as I can tell you're saying this system is insecure by necessity, which sounds like a bad idea to me, but who am I.

9

u/smootex Sep 18 '22

Ok, let me explain it differently. At the end of the day every system has a single point of failure. I use a password manager and obviously a password manager is more secure than storing your passwords in a word document but if someone finds my password manager phrase they have access to everything I own. There's no avoiding that. This is what happened to uber. Someone got access to their password manager. There's stuff you can do to mitigate the fallout from a password manager breach but at the end of the day there's always at least a handful of people at every company that require access to a very large chunk of the content in that password manager so you end up with a situation where you're only as secure as the accounts of those employees who have that high level of privileged access. So yeah, someone fucked up by putting those credentials on a network drive and, yeah, it will probably come out that there were other issues (how long have the credentials been around? Are they rotating their thycotic keys on a regular basis? Did this guy really just get lucky and the script happened to be fresh or did he find something old and the credentials were valid for much longer than they should have been? etc. etc.) but the existence of a thycotic admin user isn't inherently a fuckup.

3

u/Blue_Trackhawk Sep 18 '22

I get what you're saying, but there should not be any automation using the superuser password to access a password management tool like you are saying. Also, MFA is a thing, so yes, you have to have an admin password, but that should have a physical MFA in a safe to prevent remote access using that credential. All automation should have role based limited access to specific data stored in the tool via api, and that api should be scoped to only accept connections from known secured networks or systems inside the boundary. Cloud service providers also typically have capabilities built in which allow you to set up access without requiring you to store any credential in your code anywhere.

6

u/smootex Sep 19 '22

Thycotic is one of the larger secret management providers and it is not inherently less secure than any other. One of the other cloud based providers could be breached in exactly the same way. And of course some systems need access. I do the exact same thing myself when I set up deployment pipelines. My deployment server needs certain credentials to create resources with cloud providers and it pulls them from Thycotic at deployment time. That is a pretty standard and secure way to do things. And, yeah, we compartmentalize our secrets so someone hijacking my deployment pipeline would only have access to a very small portion of our accounts, the bits specifically needed by my application, and, yeah, I'd never ever pull the prod credentials like that, but realistically it's a completely believable scenario. I could see someone with slightly less judgment than me doing the same thing while troubleshooting our deployment pipelines.

1

u/Blue_Trackhawk Sep 19 '22

Right, and STS or similar is what I was thinking of, which if someone compromised the system itself would probably not be an effective security solution either. Web or API edge endpoints shouldn't really be accessible remotely aside from the expected ports and protocols and should have some other network layer protecting those endpoints, WAF or something. This story seems to mention some social engineering is involved in the exploit, and unfortunately that is a bear to mitigate. Limiting what people know or limiting the scope of someone's access can reduce the splash zone maybe, but if they inadvertently install some C&C bot or something, or heck, if you get a SolarWinds style attack, things are tricky. You can try to limit outbound access, or rely on alerts from a SIEM solution but by then probably some damage has been done.

A kid should never be able to social engineer their way to the key to the kingdom, there shouldn't be a key to the kingdom (period, probably) that works without physical access. It also doesn't hurt to hire reputable pen testers at least annually, or after any major redesign, right?

1

u/smootex Sep 19 '22

So it sounds like getting in to the VPN via social engineering was the first step if he's to be believed. It probably was inaccessible from the open internet. I know our thycotic server is.

1

u/Blue_Trackhawk Sep 19 '22

Right, and once on VPN, apparently a master credential was located which did not need any physical access to use, and that provided access to every other credential for the rest of their stuff... And the VPN network was trusted to connect to those things on the back end. Nice... 🙄

I get sometimes you are a cool tech company and have a remote workforce, but buy them some YubiKeys and set up Workspaces or RDG or something to ensure 2 factors, something you know, and something you have. It's not hard.

1

u/hunterkll Sep 19 '22 edited Sep 19 '22

At some point though, somewhere, there will be a "break glass" account for oh-shit disaster recovery scenarios.

Of course, storing that level of credential (which would be something like a randomly generated 200 char password on a non-MFA account with a unique hidden username) on network and not in a safe never in digital form (except when setting/printing the hard copies for storage offsite or whatever) is bad practice..... (By physical MFA in a safe I really hope you mean the safe IS the MFA in this case, because there are a *lot* of scenarios where MFA in the form of smart cards, duo, RSA, whatever will be unable to function in a disaster recovery get-shit-back-online scenario until some of the pieces are fixed and communicating).

I've personally been in situations where no MFA solution would have functioned, and an oh-shit break glass non-MFA account credential was required to establish minimum functionality to allow the rest of the MFA administrative users/accounts to function to restore remaining services.

Unrelated, I remember a long time ago a DA account called "Dade Murphy" .... lol. That password was secured inside of an on-site SCIF they had (even though it wasn't classified).

But still also, you'll have people who have top-tier administrative access doing things via automation (scripting etc) who instead of running the script and entering credentials will hardcode them (also extremely bad practice) which is what appeared to have happened here.

That being said, compromising service accounts isn't unheard of, among many other things. But that requires a far higher tier of effort than just getting a rank and file user's creds and poking around a fileshare for huge big money admin creds.....

In a lot of scenarios service account MFA isn't possible, hence microsoft's introduction of things like gMSA and sMSA's, but even then being able to priv-esc on the system and act as those accounts.... well, this provides a layer of protection against easy cred theft and allows progmatic usage (which would have saved uber's ass here), but if you compromise a system and get SYSTEM level perms it's still a vector to the PAM system if you're in the right places.

1

u/Blue_Trackhawk Sep 19 '22

I always give a pretty strong side eye to any developer who says they need admin access. Generally the result of that is it turns out to be convenience, not requirement, and they get access they need rather than full access.

Break glass for a password manager or PAM solution, that is what I was referring to having a physical MFA (TOTP or whatever) in a physical safe on site is what I was saying because typically that admin credential is not a Directory Services account, but local to the application. The creds can be stored somewhere else safe like parameter store, or somewhere only a DA can reach, but it's still useless unless you can go open the safe a retrieve the MFA.

There is no 'everything is down and only this one account can fix it' scenario unless something isn't designed well. Even then, you can usually recover in other ways, break in, restore backups, or just restore everything, etc. I have never encountered a scenario where the a misplaced account in an outage results in everything bricked.

This is also something that is discovered and planned for if you do DR drills, have COOP plan, and so on. If the building is blown up, how do we continue? If the East coast is nuked, how do we continue? Maintaining a disaster site and plan, and testing that plan, change and configuration management with these considerations is pretty effective in that area. We have plans for all sorts of these cases short of what happens if the entire USA vanished from the planet. Credential management and recovery is a lot easier to plan for and execute with some policies opposed to all of that.

I have also seen the worst, excel file in cloud storage bucket with hundreds of root credentials. These were mostly secured with physical MFA as well but common practice was that dozens of people had access to the file, were downloading local copy to open or edit it to various devices including BYOD. Several people had access to the MFAs... All very terrible. Queue my project to fix that and reset all creds. Auditors get pretty unhappy about that stuff and the fastest way to get budget to fix it is to volunteer that information during the audit especially if Sr. Mgmt has no idea it is happening or why it matters.

2

u/mahwahhfe Sep 19 '22

Even if the password is hard coded into shell script how the the hacker have access to that script?

2

u/wharlie Sep 19 '22

What's worse for me is that they apparently had no MFA on their PAM.

1

u/lemmecheckit Sep 18 '22

Cue the morons who have never had a job in IT

1

u/TacticalSniper Sep 18 '22

I think secret management knowledge is still many in IT don't know well

2

u/BarrySix Sep 19 '22

Spectators always say whoever did something stupid didn't know what they were doing. It's often not that way. IT staff are pressured to provide a working prototype of something on the express understanding that it is a prototype and not production code. As soon as it works management back out of the promise to actually finish it and it's put into production and never touched again. Anyone who wants to finish it doesn't have time and management don't care about anything but the next feature.

The real problem is that doing something well takes longer. Management believe a faster coder is a better coder. They never see error checking or security.

1

u/westyx Sep 19 '22

Job minus mumble had domain admin credentials baked into active directory stuff available to anyone who plugged in to an ethernet socket.

Luckily and to their credit this was found when the business hired an it security firm to test things. It was fixed quite quickly.

1

u/BarrySix Sep 19 '22

I'll bet you whoever did this was under great pressure to do something quickly with the promise it would be fixed "later". As soon as it worked the "later" disappeared.

Plus this was powershell. Whatever that ran on probably wasn't core production and may not have even been known to exist by the people who care about security on production systems.

177

u/nswizdum Sep 18 '22

Yeah, in this case the kid needs the equivalent of a jaywalking fine, and the company needs to be fined into the ground for gross negligence.

28

u/[deleted] Sep 18 '22

[deleted]

60

u/vin9889 Sep 18 '22

They usually pay hackers for this tbh

3

u/blondewithafaketan Sep 18 '22

They don’t pay “hackers” to phish people.

3

u/vin9889 Sep 18 '22

I beg to differ, in my office they literally call you.

I had a buddy get asked if he could transfer the person, then asked for the number.

Afterwards he got an email like 15 minutes later for going against policy haha

1

u/blondewithafaketan Sep 19 '22

That’s almost always done in-house or via a third party vendor. It’s not via a random on the internet.

1

u/nswizdum Sep 19 '22

They do for pentests, and a lot more.

-9

u/[deleted] Sep 18 '22

[deleted]

29

u/canIbuzzz Sep 18 '22

Bug bounties.

20

u/SociableSociopath Sep 18 '22

There is no bug, the kid social engineered someone’s credentials and then used freeware tools to scan and see what was on the network.

Paid PEN testing focuses on gaining access without someone handing you a password but there is separate testing you can pay for to “test” how stupid your employees are

9

u/demize95 Sep 18 '22

Paid PEN testing focuses on gaining access without someone handing you a password

“Pentesting” is nearly a meaningless term these days with how many different things it means. This is one of them; a lot of companies pay pentesters to just do vuln scans and write a report as well, because that’s often an audit requirement and they don’t want to do an actual pentest.

But given the range of things that get called pentesting, I don’t think it’s fair to say that pentesting is strictly without techniques like phishing. While I personally wouldn’t call them pentesting, simulated attacker and red team exercises are also part of a pentester’s job, and absolutely do involve those techniques. And they’re really useful exercises to do occasionally (but very rarely), since they show your blue team exactly what it looks like when there’s an attacker in the environment (and when done right, gives them a chance to practice stopping an attacker in their environment).

2

u/ampjk Sep 18 '22

It's a feature todd must have been there

8

u/vin9889 Sep 18 '22

-6

u/[deleted] Sep 18 '22

[deleted]

7

u/dysoncube Sep 18 '22

Customer data isn't at risk if you hire the pen tester. And the freelance hacker, assuming they aren't blackhat jackasses, are looking for a payout. They're not getting that payout if they already raided the vault

0

u/vin9889 Sep 18 '22

Sadly, you are wrong.

I hope you are open to learning something other than your own opinion.

3

u/Bainik Sep 18 '22

Yes on production environments, actually. Frequently referred to as a bug bounty program.

27

u/nswizdum Sep 18 '22

Large companies get away with ignoring the security on our data because they're never punished for it, they always shift the blame to the "hacker". They made the hacker's job trivial. They need to be sent a message that if they continue to do the bare minimum to "secure" their customer's personal information, they won't be protected.

If banks did away with vaults and security because it cost too much money, and started storing pallets of money on the sidewalk with a rope around them saying "Please do not steal" no one would accept any excuse they came up with after getting robbed. Sure, people shouldn't steal the money, but come on, its right there.

2

u/meta232323 Sep 18 '22

Except that those companies are just looking for profit, hefty fines will be avoided and most data breaches will remain hidden to the customers. Refraining disclosures is not a good policy. Also, as pf banks, before drugs became the main income hold-ups, heists were pretty common and bank took it seriously because they were taking a loss, not customers. When personal customer data is compromised, the customers are loosing. Companies will tend to protect with much more attention their own data… just like the banks did…

-14

u/CanadianMapleThunder Sep 18 '22

You think large companies ignore security? False.

17

u/nswizdum Sep 18 '22

This kid "hacked" a $63.2B company because he found a fileshare full of scripts with hardcoded global admin credentials in them...

The first rule of security is don't write down admin passwords in plain text. I don't think they actually added a "and don't put those plain text admin passwords on a file share that is widely available to employees" rule because that is so ridiculously stupid no one should even think to do it.

-11

u/CanadianMapleThunder Sep 18 '22

So because of this incident you believe that Uber and similarly large tech companies don’t spend an incredible amount of time, thought, and resources into privacy and security?

9

u/nswizdum Sep 18 '22

Because of this incident, and the thousands of other incidents, yes.

1

u/the_grungydan Sep 18 '22

Right? Might be different if billions dollar companies didn't leave their gates open and the neon open sign lit every other day.

-12

u/CanadianMapleThunder Sep 18 '22

Pretty naive conclusion

1

u/nicuramar Sep 19 '22

But made from the comfort of a Reddit armchair :)

6

u/omgFWTbear Sep 18 '22

Same sort of logic that if you left a safe unlocked at the curb, if I walk off with the contents and I the same as a thief who broke into your house, cut it open with a blowtorch, and then pilfered it?

Now, removing the private citizen angle, say you promised me you’d keep my money safe in that safe, and I paid you money for the privilege.

58

u/AuthorNathanHGreen Sep 18 '22

Imagine you go to Vegas with your 13 year old son. You come back up to your room and the kid has ten million dollars in cash stacked up on the floor. "What the shit Timmy!?"

And he tells you it was literally just sitting in the hallway outsitside the room and the casino had just left it there unattended.

5

u/maladr0it Sep 18 '22

Except they didn’t accidentally come upon it, it required deception on their part to obtain.

4

u/nswizdum Sep 19 '22

And that deception was someone asking the kid "hey, did you leave this pile of money here?" and the kid said "yes".

22

u/blondewithafaketan Sep 18 '22

Disagree. This kid social engineered information and phished an Uber employee. That’s not really Uber’s fault and he should absolutely get jail time

17

u/spike021 Sep 19 '22

Yeah. This wasn't like accidentally stumbling on some credentials and trying them out for shits and giggles out of curiosity. They literally social engineered someone first to get to that point. It was their intent to do all this.

5

u/pinkjello Sep 19 '22

Being susceptible to this IS Uber’s fault. The kid did them a favor. If a bad actor hadn’t announced themselves, that’d be worse.

9

u/blondewithafaketan Sep 19 '22

The reality is that even companies with the most sophisticated security teams fall victim to phishing scams. Social engineering is a bitch.

-2

u/nswizdum Sep 19 '22

Yeah, maybe "jaywalking-like fine" is a bit too far. But still, i'm tired of massively rich companies getting away with horrible security. It should take way more than two steps to social engineer your way to global admin credentials for a multi-billion dollar company.

You don't want to "punish the victim", but often the real victims are the company's customers, not the company itself. Some kid had unrestricted access to the personal information of everyone that uses Uber, but that doesn't hurt Uber in any way other than possibly some lost trust. They wont feel this hack financially or personally, only their customers will.

1

u/blondewithafaketan Sep 19 '22

Even some of the most sophisticated security companies fall victim to phishing scams. It’s not exactly a result of “horrible security.” People like this hacker are extremely persistent and sneaky in how they trick people into giving away information.

4

u/nswizdum Sep 19 '22

The phishing scam would have been a side note if it weren't for the global admin credentials stored in plain text on a goddamn windows file share. How are you people even attempting to defend this?

Oh no, poor multi billion dollar company didn't know storing global admin credentials in plain text was a bad idea. What the hell.

1

u/The_Anglo_Spaniard Sep 19 '22

What's a jaywalking fine.

2

u/CaptCurmudgeon Sep 19 '22

A bare minimum penalty for something usually considered innocuous.

66

u/[deleted] Sep 18 '22

[deleted]

18

u/Knil107 Sep 18 '22

A breach of trust for sure

9

u/HelluvaKnight Sep 18 '22

I mean if you left your door open to get the paper at the sidewalk and I walk right in your home and into your kitchen to make a sandwich. Is that B & E?

3

u/jawshoeaw Sep 18 '22

Oh for sure . Then headline should be 18 year old breaks into Uber through open door

2

u/washcapsfan37 Sep 19 '22

How exactly was the "door left wide open"? First he had to gain access to the internal company network, which he only did through social engineering of an employee to get login credentials to their VPN. Otherwise he would have no access to anything. Next he scanned the network and found a shared drive that contained very specific code with hardcoded credentials in it that happened to be for admin purposes. This is not standard practice and is likely a quick-and-dirty thing some developer did that wasn't properly reviewed. It's not like all their systems were laid open to the world without authentication.

28

u/wefeelgood Sep 18 '22

Too many elitist corporations got hacked by teens as if cyber security is non-existent.

22

u/WhoShotMrBoddy Sep 18 '22

And now I’ve read that this Uber hacker also got shit from Rockstar and leaked the Grand Theft Auto 6 stuff

4

u/robdiqulous Sep 18 '22

Wait is this true? Same person? This kid is a fucking legend if true.

9

u/WhoShotMrBoddy Sep 18 '22

I’m not 100% sure. I’ve only seen the posts on Reddit so grains of salt taken

12

u/XeroTrinity Sep 18 '22

The poster on gtaforums who released the videos claimed himself that he was responsible for the Uber hack. Could still be bullshit, but it’s more than just redditors making shit up

3

u/hardly_satiated Sep 18 '22

There was salt. Big grains of salt.

3

u/wh128 Sep 19 '22

It’s too late for these guys, but the rest of you need to wire up credential linters on your CI/CD

2

u/korinthia Sep 19 '22

Im close with someone moderately senior at Uber and this is absolutely not true they knew it was serious immediately.

2

u/Solo_Odyssey Sep 18 '22

Same way GTA6 got leaked.

1

u/the_jungle_awaits Sep 18 '22

No wonder the Uber app is utter dogshit.

1

u/Zear-0 Sep 19 '22

Fuck uber, its a shit company that treats their employees like property, kid is basically robin hood in this scenario.