Uber left its lost-and-found database open to anyone on the internet

UberThe Uber ride-sharing service is dogged by its fair share of controversies, and now another one has emerged which suggests - like many online companies before it - it has grown too big, too fast, and not had security embedded in its soul.

As Motherboard reports, records from its South California operations have been accidentally exposed on the internet - revealing the phone numbers of some customers, and that at least two drivers were demanding financial payments for the return of items left in the back of vehicles.

Uber lost-and-found list

Motherboard reporters were able to access what should have been an internal webpage, showing 155 items in the Uber district's lost-and-found directory, including the usual array of iPhones, credit cards, wallets, spectacles and selfie sticks.

Uber lost-and-found list

Two hours after the press published a story about the data leaking from Uber, the webpage was removed from public access.

Such a leak of information is, of course, evidence of not just bad design - but also an indication that privacy and security are not part of the company's DNA.

Maybe in time, if it lasts that long, Uber will learn that the privacy of customers is sacrosanct and everything should be done to make mistakes like this impossible. But until that day, you have to cross your fingers and trust that they're not going to have another accident, or indeed dump you on the side of a motorway at 3am.

My guess is that Uber hasn't learnt to walk the privacy walk yet. In fact, my guess is that they're probably still crawling.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

,

One Response

  1. Coyote

    February 10, 2015 at 8:30 pm #

    "Maybe in time, if it lasts that long, "
    Let's hope not.

    "Uber will learn that the privacy of customers is sacrosanct and everything should be done to make mistakes like this impossible. But until that day, you have to cross your fingers and "
    Yes, mistakes are forgiveable in certain circumstances but iff they actually learn from them (and act on what was learnt). That is iff, not 'if'. Big difference. Still, this type of mistake is hardly acceptable (and I'll not get in to the actual politics of the contents of and the story itself i.e. the leaked data).

    "trust that they're not going to have another accident, or indeed dump you on the side of a motorway at 3am."
    Well there's no words for that example, not the example itself. Even more reason to wish they don't survive (as a company). If they do, though, hopefully they wake up to that type of thing – that is directly against their service, isn't it? Of course a lot of things are against their service but I suppose that's besides the point.

    "My guess is that Uber hasn't learnt to walk the privacy walk yet. In fact, my guess is that they're probably still crawling."
    Indeed. Regrettable that their vehicles aren't crawling too so as to actually prevent others from using their service and getting themselves in to trouble (of course there is always the other, better option of they actually improve; however, at this time, it doesn't seem like it'll be any time soon).

Leave a Reply