Being involved in bug bounties, don't be fooled by what happened here. This is exactly a case of extortion: the hacker had downloaded user data from Uber, and was paid off in order to delete the files. This differs from an actual bug bounty payout, where a hacker would be disqualified for extracting user information.
Yeah, I'm disappointed that the article didn't focus more on that distinction - "send us a snippet from our production database" is not really how responsible programs operate. Compare this story with a similar severity facebook bug:
> That's right, the response contained Facebook's /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution.
> A lot of bug bounty programs around the web have a rule that I think is very sensible: whenever you find a bug, don't linger on messing around. Report the bug right away and the security team will consider the worst case scenario and pay accordingly. However, I didn't have much experience with the security team at Facebook and didn't know if they would consider my bug as a Remote Code Execution or not. I Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed. I figured that would be ok because most bugs take a long time to be processed, and so I had plenty of time to try to escalate to an RCE while still keeping the nice imaginary white hat I have on my head. So after writing the bug report I decided to go out and have lunch, and the plan was to continue working when I came back.
To be honest, its very hard to tell from the article. I get the feeling Uber is covering something up.
The hacker definitely downloaded files, but Uber also asked him to download production data to confirm the hack (um, what?) Uber escalated the payout; the hack wasn't particularly interesting, but it was substantial, so who knows there. The hacker's communication was dodgy, but he eventually met in person, and the fact he didn't want to leave his house indicates a possible social disorder.
Their handling was poor, but this may just be a case of "hating uber because they're uber".
In any sufficiently large corporation, there are so many different accounts/credentials floating around, that it's hard for anyone to keep track of them all. It's possible that the engineering team may have already invalidated the credentials that were published on GitHub. It's possible that those credentials were actually a bait, meant specifically to distract potential hackers. Asking for proof is a very quick and easy (and sloppy) way to get around all of the above.
Private user information isn't proof that valid credentials were published on GitHub. It would be faster and easier to ask for actual proof in the form of a link to a valid credential published on GitHub, and that would actually prove that they were published.
According to the article "Other emails obtained by The Times show Mr. Fletcher treated the incident as a bounty and encouraged Preacher to provide proof of the vulnerability, including sending a few lines of data from the database he had breached."
So no, this was not disqualifying and he was told to do so. This is not extortion, just pay negotiations.
I’ve been involved on the payout side of the equation. I disagree with your position.
BB’s are complicated and can be messy. You never know what the behavior of the participant will be after the award. Someone had to fight for approval of this payout at significant career risk for themselves. If we broadly assume bad faith on the reporter or on the recipients, we’ll lose the protection that bb’s can provide and white hats will be more at risk of CFAA prosecution. We need to be more willing to make mistakes when it comes to these situations.
> Someone had to fight for approval of this payout at significant career risk for themselves.
I think that, in this case, it is more likely that someone was told, or felt it to be the case, that their career or options were at risk unless they could come up with some sort of cover so that Uber could claim it did not have to disclose the leak.
There is a simple test for whether someone is seeking a bug bonus, or to extort you: if someone says he has a way to get your data and would you care to know how, its a BB case, but if they say they have your data, give us some money to say we deleted all copies of it, that's extortion.
After reading the article, it certainly sounds like a regular bug bounty case, maybe the reaction was an overreaction.
Keep in mind this article was written by Mike Isaac who has been a thorn in the side of Uber all throughout 2017. I highly, highly doubt after all the anti-Uber articles he's written that he's an Uber schill, someone who is pro-Uber, or someone who would just blindly believe whatever Uber PR told him.
The tone is distinctively even-tempered, which leads me to believe that maybe it should be taken at face value and it wasn't a coverup at all.
I should not have presented my skepticism as a certainty, but it is based on a couple of things. Firstly, there is the length of time it took for this version of the story to come out: this you would expect from an organisation that is threading a story to be consistent with all the information about the event that has leaked (including an explanation for the delay in promulgating that story itself), without making statements that might be contradicted by further disclosures. Conversely, an entity that is just trying to get the facts straight would be best served by being forthright. Secondly, the journalists seem to be too ready to accept what they have been told, such as "Mr. Fletcher drew further details about the hacker out through emails, including ... proof that he deleted his copy of Uber’s downloaded data by looking at a virtual copy of his system provided by his host" - that cannot prove anything of consequence. Therefore, I am skeptical that the reporters have seen all the relevant communications.
I accept that this may be too conspiracy-theoretical.
The two writers, especially Mike Isaac, are pretty openly anti-Uber. To say they are the core of some conspiracy to make Uber look better is an ignorant statement about who the writers are. They said they interviewed dozens of people in getting this story, reporters (especially NY Times writers) don't rely on single sources when they report things.
They don't fail to tell law enforcement after paying kidnapping ransoms and don't consider the perp to be law-abiding person. Also if a kidnapper was ever located domestically there'd be about a 0.00001% chance of the person getting a payout.
It's also against Canadian law to pay ransoms for kidnapping, even if you're a private citizen. (Although you'll be hard pressed to find someone who has been prosecuted for this.) The U.S. has a similar "we don't negotiate with terrorists" policy, but I'm not sure if it's explicitly illegal to send money.
Refusing to negotiate with terrorists isn’t a strategy designed to produce the best outcome in isolation. It’s to avoid providing incentives for more terrorism, despite the consequences viewed in isolation.
So “outcomes are worse if you don’t” is not relevant. Several times as many terrorism incidents with better outcomes on average is not what most people would consider effective anti-terrorism.
Sort of? Maybe? I mean, a list of people doesn't really encourage kidnapping. Someone could just use a phone book instead. Perhaps cases of witness protection or something. But those are extreme edge cases.
Sorry, but is there a better record on this issue?
This article just tries to connect vaguely described events into a story. Very poor journalism, reading this is a waste of time.
Was the vulnerability a dumb mistake or an unexpected exploit? Was it disclosed to the company in advance? How does this case differ from other cases so that there are four lawsuits now and why has everyone been fired? Because they created a bug bounty system that resulted in bug disclosure? Nothing appears to make sense and the journalist doesn't worry at all.