The data breach at Uber Technologies holds a lesson for software developers who use third-party services to store and share code: be careful what you share.
Services like San Francisco-based Github Inc., GitLab and SourceForge are used by developers to collaborate on projects, track bugs in code and distribute early versions of applications. They’re a target for cyberthieves.
Uber lost records on 57 million customers and drivers after hackers gained access to a password-protected area of Github, one of the most popular code storehouses in the world. It’s happened before, too.
“Code depositories can be very problematic”, Chris Boyd, an analyst at cybersecurity company Malwarebytes Inc., said. Many companies are slow to remove login details for these storage services when developers leave.
Earlier this month, a security researcher found that software developers for Chinese drone manufacturer SZ DJI Technology Co. had left the private keys for their Amazon Web Services cloud account and all the company’s websites in code they posted publicly on Github.
In 2014, hackers found a login key left in code that Uber’s developers publicly posted on Github, resulting in the theft of data on 50,000 Uber drivers. The ride-hailing company sued Github in 2015 to force it to hand over information about users who might have accessed the site that the code originated on.
Edwin Foudil, a security researcher, said many companies mistakenly include passwords and private keys in the code they post on storage services.
“It is incredibly prevalent”, Foudil said, adding that some developers assume their code is safe when it’s in a password-protected area. “They are relying on the repository being private, but it’s bad practice.”
Hackers hunting for vulnerabilities routinely scan code posted publicly to Github for passwords and private encryption keys
that developers have left visible, he explained.
Github declined to comment on individual accounts when asked about the latest Uber breach. It said it advises users to “never store access tokens, passwords, or other authentication or encryption keys in the code”. If developers must include such items, they should use extra security procedures “to prevent unauthorised access or misuse”.
18F, a group of programmers who help build software for the US government, uses Github to share code, but mandates its developers run a piece of software that scans code for passwords and keys before allowing it to be posted.
However, these tools often generate “false positives”— mistaking bits of innocent code for passwords or keys, Foudil said. The security researcher added that he has found code that 18F uploaded that still contained information that should have been deleted. There’s no substitute for human code review before uploading it to a service like Github, he said. The Uber hack is unlikely to stop the use of code-sharing services.