SAN FRANCISCO (CN) — When hackers Vasile Mereacre and Brandon Glover teamed up in 2016 and began scouring Github for exploitable security flaws, they weren’t looking to hack any one company specifically. But Uber’s lax security quickly made the ride-hail giant the pair’s top target.
Testifying Monday in former Uber security chief Joe Sullivan’s criminal obstruction and concealment trial, Mereacre said he and Glover modeled their hack off others they’d read about in online forums, where stolen email addresses and passwords were used to access Github, a website where software developers store and share software code.
Once they gained access to Github, Mereacre and Glover searched the public site for access keys to Uber company servers, which were hosted by Amazon Web Services. After a while, they hit the motherlode— an AWS key that unlocked a “simple storage service,” or S3 folder, containing more than 200 files of private user data.
Mereacre said he and Glover were "struck" that the one of the keys they’d stolen from Github had actually worked. After all, it wasn’t like they were looking through an internal company chat; this was the public Github site. He also said most companies usually change or “rotate” the keys regularly as a routine security measure.
“I guess they would have better security, but Uber did not,” Mereacre said. He and Glover then downloaded the data, consisting of the names, email address and phone numbers of 57 million app users, along with 600,000 driver’s license numbers.
They then decided to contact Uber and demand a ransom. "We thought to reach out to Uber to see if we could get some money out of it," Mereacre said.
Mereacre used the pseudonym “John Doughs” in his email to security chief Joe Sullivan. “We didn't want our identities to be public because of the way we'd gotten the data and downloaded it,” Mereacre said. “The process was illegal.”
His email read: “Hello Joe. I have found a major vulnerability in uber I was able to dump uber database and many other things.”
Sullivan did not handle the breach on his own, though he alone stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.
Aside from his initial email to Sullivan, Mereacre communicated almost exclusively with Rob Fletcher, a member of the company's security response team. Though Fletcher’s name was on the emails, they were written in collaboration with other members of the team, including Sullivan and Uber's in-house counsel.
Fletcher testified Monday that he and his team originally thought the email from “John Doughs” was a hoax. It wasn’t an unreasonable conclusion; Fletcher ran the company’s “bug bounty” program where hackers (companies prefer to call them researchers) are paid to search for and report security flaws. He said most of the so-called bugs that get reported are “junk.”
Prosecutors showed the jury an early message Fletcher sent colleague Collin Greene that showed his early assessment of the situation: “lol Can almost guarantee this is bullshit but will continue to keep you looped in :).”
But a lengthy string of emails between Fletcher and John Doughs revealed the gravity of the situation as it unfolded. Fletcher asked Doughs to show him some proof, and asked him to interact through the bug bounty program Uber ran in partnership with the site HackerOne.
Mereacre, still going by Doughs, responded with a sample of Fletcher’s own downloaded data.
Fletcher replied, "Cool some of the values do look concerning- we most certain pay bounties for qualifying reports. In order to validate the issue, can produce reproduction steps?”