Rapid diffusion of technology makes easy phenomena of accidental data leakage, the last one is related to the popular car service Uber. Dozens of trips of Uber customers have been cached by Google, making them available for searchers. Some Uber trip info is publicly accessible through Google by searching for “trip.uber.com” in Google.
The search engine display a list of past trips in the search results for the above query, the trips are shared by the Uber users from the mobile app allowing others to track their current location and other data related to the trip.
Some of these rides date back as far as 2013, they include trips from various countries like the US, UK, Russia, Indonesia, India, and the Philippines.
The problem is that the shared information also includes the driver’s name and car registration. The problem emerged after that Twitter and Google have entered into a partnership that allowed the search engine access to the Twitter data.
In the specific case, many Uber users tweeted their location and estimate arrival times.
It is clearly a problem of data visibility, today it is possible to view a restricted set of information related each trip from the “shared trip” page. This page displays users only a map with the arrival and destination provided by the Uber user through the Uber mobile app, the route and also the first name of the driver and passenger.
It is important to highlight that credit card data, usernames and passwords were not compromised.
But Uber, manage a bigger set of data related to the rides, such as home and work address data, and of course dates and times that trips were made.
By cross-referencing the search results for hackers is quite simple to discover more personal information on passengers, including full name, job description and motivation of the trip. It is sufficient to link the Uber data with information from open sources such as social media.
“Personally, I’m not that concerned about it, but I may be a bit out of the norm. I hyper share my location publicly. I also publicly tweeted my trip, so I fully expect that people would be able to see it,” said the person, who we are choosing not to identify.
Zdnet.compublished a detailed article on the case, it has the opportunity to track one of the Uber customers whose data were accidentally revealed.
“I gave him the rundown of what I thought he was doing, based on the route locations, time of day, and other information I could gather from his Twitter account. I knew when, where, and how, but I didn’t know why he had taken that Uber that day. He gave his side of the story. In his words, “you got fairly close.”” states ZDnet.
“Again, we are very public people, so this isn’t a huge deal to me… but I can totally see why other people may be concerned,” he added.
“I think being able to personally access all of your trip history via the app or Uber.com is great (which you can do). But I don’t really think keeping these trips publicly accessible in the long term serves much of a purpose,”
Despite we cannot consider the problem as the result of a security flaw because users shared their info, Joe Sullivan, UberCSO confirmed the company is investigating the issue.
@mikko Thanks for the report! We are looking into this.
— four (@four) 2 Settembre 2015
“We found that all of these links are deliberately shared by users. Our user data is critical; will look for ways to further improve.”
The discovery of Uber data in the Internet might raise new privacy concerns, in the past some users decide to stop using the sharing features such as the “share ETA feature” fearing the exposure of their information.
Uber has faced controversy in the past over its data policies, privacy advocates contested the level of access the company employees have to individuals’ trip information.
“This is not a data leak. We have found that all these links have been deliberately shared publicly by riders. Protection of user data is critically important to us and we are always looking for ways to make it even more secure.” is the comment of Uber spokesperson Molly Spaeth.
(Security Affairs – Uber, data leakage)