Some Uber ride data is publicly accessible through Google

September 4, 2015  By Pierluigi Paganini


Some Uber trip information is publicly accessible through simple Google queries, the set includes trip and user info, and home and work addresses.

Rapid diffusion of technology makes easy phenomena of accidental data leakage, the last one is related to the popular car service Uber. Dozens of trips of Uber customers have been cached by Google, making them available for searchers. Some Uber trip info is publicly accessible through Google by searching for “trip.uber.com” in Google.

The search engine display a list of past trips in the search results for the above query, the trips are shared by the Uber users from the mobile app allowing others to track their current location and other data related to the trip.

Uber data leakage results

Some of these rides date back as far as 2013, they include trips from various countries like the US, UK, Russia, Indonesia, India, and the Philippines.

The problem is that the shared information also includes the driver’s name and car registration. The problem emerged after that Twitter and Google have entered into a partnership that allowed the search engine access to the Twitter data.

In the specific case, many Uber users tweeted their location and estimate arrival times.

It is clearly a problem of data visibility, today it is possible to view a restricted set of information related each trip from the “shared trip” page. This page displays users only a map with the arrival and destination provided by the Uber user through the Uber mobile app, the route and also the first name of the driver and passenger.

It is important to highlight that credit card data, usernames and passwords were not compromised.

But Uber, manage a bigger set of data related to the rides, such as home and work address data, and of course dates and times that trips were made.

By cross-referencing the search results for hackers is quite simple to discover more personal information on passengers, including full name, job description and motivation of the trip. It is sufficient to link the Uber data with information from open sources such as social media.

“Personally, I’m not that concerned about it, but I may be a bit out of the norm. I hyper share my location publicly. I also publicly tweeted my trip, so I fully expect that people would be able to see it,” said the person, who we are choosing not to identify.

Zdnet.compublished a detailed article on the case, it has the opportunity to track one of the Uber customers whose data were accidentally revealed.

“I gave him the rundown of what I thought he was doing, based on the route locations, time of day, and other information I could gather from his Twitter account. I knew when, where, and how, but I didn’t know why he had taken that Uber that day. He gave his side of the story. In his words, “you got fairly close.”” states ZDnet.

“Again, we are very public people, so this isn’t a huge deal to me… but I can totally see why other people may be concerned,” he added.

“I think being able to personally access all of your trip history via the app or Uber.com is great (which you can do). But I don’t really think keeping these trips publicly accessible in the long term serves much of a purpose,” 

Despite we cannot consider the problem as the result of a security flaw because users shared their info, Joe Sullivan, UberCSO confirmed the company is investigating the issue.

“We found that all of these links are deliberately shared by users. Our user data is critical; will look for ways to further improve.”

The discovery of Uber data in the Internet might raise new privacy concerns, in the past some users decide to stop using the sharing features such as the “share ETA feature” fearing the exposure of their information.

Uber has faced controversy in the past over its data policies, privacy advocates contested the level of access the company employees have to individuals’ trip information.

“This is not a data leak. We have found that all these links have been deliberately shared publicly by riders. Protection of user data is critically important to us and we are always looking for ways to make it even more secure.” is the comment of Uber spokesperson Molly Spaeth.

Pierluigi Paganini

(Security Affairs – Uber, data leakage)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Barclays creates its own red team to attack its systems to find flaws

 Barclays has created a red team to hack its own computer systems to discover and exploit security vulnerabilities before...