Hacker details plot to breach Uber’s data servers

Hacker details plot to breach Uber’s data servers
Vasile Mereacre, one of the hackers who stole personal information from 57 million Uber riders and drivers in a 2016 data breach, took the stand Monday in the criminal trial of its former head of security Joseph Sullivan, accused of hiding the breach from the authorities.

MARIA DINZEO / September 12, 2022

Image by tookapic from Pixabay
SAN FRANCISCO (CN) — When hackers Vasile Mereacre and Brandon Glover teamed up in 2016 and began scouring Github for exploitable security flaws, they weren’t looking to hack any one company specifically. But Uber’s lax security quickly made the ride-hail giant the pair’s top target.

Testifying Monday in former Uber security chief Joe Sullivan’s criminal obstruction and concealment trial, Mereacre said he and Glover modeled their hack off others they’d read about in online forums, where stolen email addresses and passwords were used to access Github, a website where software developers store and share software code.

Once they gained access to Github, Mereacre and Glover searched the public site for access keys to Uber company servers, which were hosted by Amazon Web Services. After a while, they hit the motherlode— an AWS key that unlocked a “simple storage service,” or S3 folder, containing more than 200 files of private user data.

Mereacre said he and Glover were "struck" that the one of the keys they’d stolen from Github had actually worked. After all, it wasn’t like they were looking through an internal company chat; this was the public Github site. He also said most companies usually change or “rotate” the keys regularly as a routine security measure.

“I guess they would have better security, but Uber did not,” Mereacre said. He and Glover then downloaded the data, consisting of the names, email address and phone numbers of 57 million app users, along with 600,000 driver’s license numbers.

They then decided to contact Uber and demand a ransom. "We thought to reach out to Uber to see if we could get some money out of it," Mereacre said.

Mereacre used the pseudonym “John Doughs” in his email to security chief Joe Sullivan. “We didn't want our identities to be public because of the way we'd gotten the data and downloaded it,” Mereacre said. “The process was illegal.”

His email read: “Hello Joe. I have found a major vulnerability in uber I was able to dump uber database and many other things.”

Sullivan did not handle the breach on his own, though he alone stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.

Aside from his initial email to Sullivan, Mereacre communicated almost exclusively with Rob Fletcher, a member of the company's security response team. Though Fletcher’s name was on the emails, they were written in collaboration with other members of the team, including Sullivan and Uber's in-house counsel.

Fletcher testified Monday that he and his team originally thought the email from “John Doughs” was a hoax. It wasn’t an unreasonable conclusion; Fletcher ran the company’s “bug bounty” program where hackers (companies prefer to call them researchers) are paid to search for and report security flaws. He said most of the so-called bugs that get reported are “junk.”

Prosecutors showed the jury an early message Fletcher sent colleague Collin Greene that showed his early assessment of the situation: “lol Can almost guarantee this is bullshit but will continue to keep you looped in :).”

But a lengthy string of emails between Fletcher and John Doughs revealed the gravity of the situation as it unfolded. Fletcher asked Doughs to show him some proof, and asked him to interact through the bug bounty program Uber ran in partnership with the site HackerOne.

Mereacre, still going by Doughs, responded with a sample of Fletcher’s own downloaded data.

Fletcher replied, "Cool some of the values do look concerning- we most certain pay bounties for qualifying reports. In order to validate the issue, can produce reproduction steps?”

ADVERTISEMENT

But Mereacre wasn’t taking the bait. Under questioning from Assistant U.S. Attorney Andrew Dawson, he said he and Glover were looking for a big payout.

“Was it your intent to extort Uber?” Dawson asked, to which Mereacre answered, “Yes.”

Early emails to Fletcher indicate a threatening bent. "Before we continue, I want to ask how much are you guys willing to pay for this?” Mereacre wrote. “It's not a vulnerability, it s a lack of security. And this lack of security causes [sic] for all the data to be exposed.”

But just to play along, Mereacre created an account on HackerOne, though he said that on skimming the guidelines, it didn’t appear to him that his hack would qualify since he and Glover had already stolen data.

He also told scolded Uber, via an email to Fletcher, about the company’s carelessness with passwords, specifically its lack of 2-factor authentication and and negligent lead of an AWS key on a public site. “Uber should have mandatory 2 step authentication on GitHub,” he wrote. "ALL INTERNAL data was able to downloaded and seen. Your security steps are very poorly done, the lack of negligence [sic] and care here is zero to none. Your employees are careless and don’t care about security.”

He said he and his “team” also breached servers owned by Stubhub, Seatgeek, and Lynda.com, an online learning company now owned by LinkedIn.

When Fletcher informed Mereacre that the maximum “bounty” Uber typically pays is only $10,000, Mereacre pushed back, writing, “Our team will not disclose this vulnerability for 10k. Our minimum is six digits.”

Four days after the hack, Fletcher wrote to Mereacre that he was able to get approval for a $100,000 bounty, with one caveat. “With a case like this, we have a confidentiality form that needs to be singed by you and your team. It essentially states that you've deleted all the data and agree not discuss this publicly. I've signed it and submitted it . . . . can you provide mail addresses for the other members of your team so I can get a copy to them as well? After that, Hacker one will release payment and I think we can call this closed out.”

Both Mereacre and Glover received copies of a nondisclosure agreement, in which they falsely attested that they did not download or store any data. They both signed the agreement using fake names — Mereacre with his John Doughs pseudonym, Glover as “Scott Wilson.”

“Unfortunately, our legal team said I can't pay out to John Doughs since we get audited for compliance with 'OFAC and bribery laws' and can't just send $100k into the wild,” Fletcher wrote back. “They said you should be ok with signing your real name.”

“I kind of had a feeling at the time that they wouldn't buy the John Doughs name,” Mereacre told the jury. So he signed a second NDA as “William Loafman.”

The subterfuge made it difficult for Mereacre to collect the bounty. First, the cryptocurrency exchange Coinbase flagged the payment as fraudulent because it was too high. And HackerOne required Mereacre and Glover to submit tax forms and other information to verify their real identities. Mereacre asked Fletcher if they could bypass the HackerOne program. An email he sent Fletcher on Nov. 29 said, “I would very much appreciate it if came from you guys rather than hacker one. They require a lot of information I don't have (and then it goes to Coinbase they are known to hold money for a long time) Other companies that likes [sic] to ask for every single detail.”

By Dec. 5, Mereacre was getting antsy. He wrote Fletcher, “Please keep in mind, that the contract states, ‘all data will be deleted once the money is paid'. The ball is in your court. Will leave my bitcoin address in this message and you will have to speak with upper manager on what you guys decide to do.”

Mereacre told the jury, “I was saying we still have possession of the data and we'd like to get paid or else.”

On Dec. 7, Fletcher replied, “Hey, I think we've got some movement. We think we we can get hacker one to release it if we sign off it based on our contract.”

By Dec. 8, Mereacre had the money. In early January, Glover received an email from Mat Henley, another member of Uber’s security team. “Hey Brandon, I wanted to reach out now that the holidays are over to circle back on your bounty,” Henley wrote. "I definitely appreciated the help from you guys. It was a great catch, and it's a perfect example of the value that the program bring to both us and the security community. I’m sure it was a great way to kick off your Christmas:)”

Quickly changing his breezy tone, Henley then asked Glover and Mereacre to sign fresh NDAs with their actual names and indicated he knew that Mereacre is originally from Moldova and now lives in Toronto. He added, “I happen to have one of my team members down in Florida right now and he will meet who you tomorrow to get the contact signed.”

“Our first reaction was how were they able to find us?” Mereacre testified. "We were dumbstruck — just the amount of information they had on us.”

Fletcher testified that Uber’s security team had used the bug bounty program as a way to find out their real identities, though the company ultimately decided not to pursue legal action.

The process was painstaking.

“We're not closer to attribution,” Henley wrote in a message to Fletcher at one point. "It's becoming clear we're not dealing with a novice. We’re paying now and continuing attribution, I think risk of a dump is high if we don't."

In December, Fletcher asked Henley if Uber’s “end goal” was to get the hacker arrested or just get him to go away.

“The end goal is not to arrest him . . . but we really need to find him because he could dump just to be an ass,” Henley replied. “We're feeling really incompetent right now, it's very frustrating.”

Under cross-examination by Sullivan’s attorney Tyler Francis, Fletcher said the email negotiations with John Doughs were all part of Uber’s grand scheme to stall the hackers while Henley hunted them down

The plan seemed to work. Mereacre said he met Uber’s chief legal counsel at a hotel in downtown Toronto to sign the forms. A year later, the hackers were arrested. They agreed to cooperate in exchange for a reduced sentence.

Sullivan was fired in 2017 for mishandling the incident, was charged in 2020 with one count of obstruction and one count of hiding a felony from authorities in what’s said to the the first example of a security chief being prosecuted over a data breach.