Uber links to sensitive ride data now expire after 48 hours
- 04 September, 2015 21:54
On Thursday, a site-specific search on Google for trip.uber.com produced dozens of links to Uber rides that have been completed and cancelled, in countries around the world including the U.S., England, Russia, France and Mexico.
Each link leads to a Web site with a map showing the ride's route, with the pickup and destination tagged with markers. A card on the page also shows the first name of the rider and driver, along with the driver's photo, make and model of car, and license plate number.
The map appears just as it might during the actual ride for the driver and rider on their smartphones.
If that wasn't troubling enough, the source code for each of these web sites, which is publicly accessible, reveals even more.
In the code, exact addresses for the pick-up spot and destination can be found. So can the car's license plate and the exact date and time of the ride.
By combining the information displayed on the map with data gleaned from the source code, people could learn an awful lot about these riders and drivers through other Google searches.
Tech news site ZDNet reported on the finding earlier on Thursday.
In a statement, an Uber spokeswoman said, "This is not a data leak. We have found that all these links have been deliberately shared publicly by riders. Protection of user data is critically important to us and we are always looking for ways to make it even more secure."
In 2013, Uber added a feature to its app to let riders share their ETA with friends and family during the ride. With the feature, riders can send a link, via SMS, to a live map that shows when they'll arrive at their destination.
The links appearing in the Google results containing the ride data were links that had been shared also on social media sites, and were thus cached by Google, an Uber spokeswoman said Thursday.
Google includes tweets in its search results.
Mikko Hypponen, chief research officer at IT security company F-Secure, previously called attention to the matter on Twitter, with pictures of the Uber links and maps he had found on Google.
John Flynn, Uber's chief information security officer, in response, said the links were shared deliberately by users.
But even though the links may have been deliberately shared online, users likely were not aware that they would contain sensitive data in the source code, or that anyone could find them through Google.
Those revelations might raise new privacy concerns among some Uber users. Some users might decide to stop using the share ETA feature, while others who are sent the links might now opt not to post them online.
Uber has previously faced controversy over its data policies, and the level of access company employees have to individual riders' trip data.
Late last year, Uber brought in a Washington, D.C., law firm to review its data policies, after attention had been brought to a so-called "god view" tool that let employees view rider logs and trip histories.
But this time, in the case of ride links shared online by users, it might be Uber customers who find themselves having to perform a privacy check of their own.
(Correction: An earlier version of the story misidentified the Uber official who responded to Hypponen's tweet; it was John Flynn, Uber's chief information security officer.)