A teen hacker has alleged to have hacked into Uber systems by annoying an Uber employee with repeated push notifications asking the employee to approve their login.
The New York Times first reported the hack on Thursday, writing that the company had to take several of its internal communications and engineering systems offline while it investigated the hack.
The alleged hacker sent the Times and cybersecurity researchers images of the email, cloud storage and code repositories. Screenshots of Telegram conversations reportedly with the alleged hacker have been published as well.
On Friday, Uber stated that its investigation and response efforts were ongoing and that it had no evidence that the hacker accessed sensitive user data. The company added that all its services were operational and that it was bringing all the internal software tools it had taken down back online.
The hacker reportedly claimed that he had spammed an Uber employee with push notification login requests for over an hour before contacting him on WhatsApp while claiming to be from Uber IT and telling him that he would need to accept the request if he wants them to stop.
The employee then accepted the request, allowing the hacker to log in to the employee's account and access the company's internal servers.
Security researcher Bill Demirkapi explained in a tweet that while multi-factor authentication methods, like push login notifications or text messages with codes sent when users try to log in, can protect accounts, an attacker can set up a fake domain that sends Uber's real login page but directs users to the fake domain.
This story is still developing and these are some extreme claims, but there does appear to be evidence to support it. The attacker shared several screenshots of Uber's internal environment, including their GDrive, VCenter, sales metrics, Slack, and even their EDR portal. 8/N pic.twitter.com/bmOMJiUCuy
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
After the hacker gained access, Uber employees using the Slack messaging service received a message reading "I announce I am a hacker and Uber has suffered a data breach.”
An Uber employee told Sam Curry, a staff security engineer at Yuga Labs, that many employees thought it was a joke.
Curry tweeted that the attacker had posted screenshots showing themselves as full administrators on Amazon Web Services and Google Cloud Platform services used by Uber.
From an Uber employee:Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
— Sam Curry (@samwcyo) September 16, 2022
Curry added that one Uber employee told him that employees had gotten an email from IT to stop using Slack and that whenever they tried to request an internal webpage they were taken to a redacted page with a pornographic image and the message "F*&% you wankers."
The attacker stated in Telegram messages shared by Corben Leo, who finds vulnerabilities in the company's programs, that he found programming scripts that contained the usernames and passwords of an administration user in the company's internal server.
Apparently there was an internal network share that contained powershell scripts..."One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW
— Corben Leo (@hacker_) September 16, 2022
The Group-IB cybersecurity company explained in a Twitter thread that it had noticed two log files in a screenshot shared by vx-underground that they were able to identify as logs from files sold on an underground marketplace.
The logs were put up for sale just days before the Uber hack was reported and contained authorization data for an identity and access management provider used by Uber. Group-IB added that the attacker could have purchased logs in order to find accounts with privileged access to the target.
Not the first time Uber has been hacked
In 2016, hackers stole the personal data of 57 million customers and drivers from Uber, with reports revealing the breach a year later. The company paid the hackers to delete the data.