If any pentester would download more data than necessary to prove a bug exists, they would be fired.
I don't know whether this person downloaded 57M user records. Maybe it was a 500kb zip file, which would be totally reasonable to grab in a pentest. And then once you realize what it is, you run `srm` on it to ensure it's wiped, then immediately call the client so they can deploy an emergency hotfix and perform forensic analysis to see if the data had already been nabbed.
We know he contacted Uber. We don't know whether he said "Give me $100k and I'll delete the data" or "Give me $100k and I'll keep my mouth shut" or if Uber offered him the $100k or any details at all. In this scenario, it's better to assume the best until proven otherwise. And by "proof" I mean "emails showing what was said," not a second-hand news report that attempts to spin it into an easily clickable form.
But I suppose it could have gone the other way too, and maybe he did. The point is, it's totally reasonable for Uber to raise the price until he was willing to keep quiet about it. If I ran into this bug in the wild, I would be ethically obliged to report it to you, dear readers, after a reasonable time period. But I suppose certain ethics would take a back seat to $100k in my pocket, and I'm not ashamed of that.
But it depends on the data. If we're talking SSNs, that could really screw up peoples' lives, so I don't think I'd be able to be bought. CC numbers I'd probably overlook, since you can't really mess with someone's life by stealing their CC number. They just get refunded. (edit: On the other hand, businesses eat the cost of fraud, so this would probably need to be reported.)
The point is, it's a big complex topic and there are a bunch of things we don't know. But above all, if you are ever holding data hostage and demanding money to destroy it, you're not a pentester, you're a chump.
edit2: it occurs to me that maybe the 20yo wanted to hold the data in order to prove to the world that the breach really did happen, i.e. his intent was altruistic. I could picture myself doing something misguided like that back when I was 20. But the trick is to keep only a few records at most, and redact everything sensitive. Then tell the truth. The company can't lie and say it didn't happen, since they don't know whether you can prove that it did. And no one is at risk because the data is gone.
Uber paid this Florida man 100K as a bug bounty - and the secrecy was just part of the deal. My understanding is that bug bounties usually come with a reasonable disclosure process but in this case, Uber did not want this because of the severity of the issue, which in my opinion is wrong because of the potential impact of the bug. In any case, I wouldn't be surprised if there are similar cases that happened to other big companies like Google, Facebook.
Edit: According to the disclosure process on https://www.hackerone.com/disclosure-guidelines, there's nothing about disclosures lasting this long.
People find game-over vulnerabilities and report them to bug bounties all the time. To a first approximation, 100% of serverside RCE vulnerabilities reported through HackerOne create comparable condictions. But the reporters don't have their machines forensically imaged or violate breach disclosure laws when they report on H1.
This doesn't add up.
So, knowing it was HackerOne was this as nefarious as the news is truly making it? It sounds like he found private keys in the github repos like was mentioned, that doesn’t necessarily mean that he downloaded or even blackmailed uber. Uber is still in the wrong for keeping a potential breach secret, but I’m beginning to have my doubts here.
Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
It's a good thing no hacker would ever think to make a backup copy of the file on a USB stick or upload it to some cloud provider.
The Florida hacker paid a second person for services that involved accessing GitHub, ... to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
In what world is the FL man (and his 2nd person) not a felon?
A well known heavily trafficked site was put under onerous FTC sanction and had to agree to prepare monthly reports about how they were keeping user's data safe for the next ten years.
Perhaps Uber will face the same penalty.
this seemed like a bug bounty from the beginning, and the media was disingenuous to spin it like blackmail.
if there was no evidence that any data was actually compromised, I'm not sure I see a reason why they would need to disclose this to the public.
Long time security researcher here... most smart companies do not bribe, they simply hire , post exploit. An employee or even consultant under NDA can’t disclose very easily. In fact many fortune 500s will seek out up and coming analysts for some fluff project with little other reason than to get that NDA.
So, they are willing to pay $100k but normally their max payout for the severest bug is $15k?
I bet Uber was hacked long before 2016 as 1k was stolen from my Uber account in May 2014. It was supposedly for a ride in London while Im in DC. When this happened I searched Twitter and saw ten to 20 ppl a day complaining of the same thing.
Uber's PR response at the time was it's the users fault for not choosing a complicated password vs. owning up there's a problem and or being concerned for their customers. What a great company!
Uber employee said "Uber hack - What a fucked up way to handle such a problem."
Finally, Florida Man gets a break! Normally he has such a hard life:
And that’s why you shouldn’t check in passwords or tokens with Git, kids.
Isn't this like bug bounty? I know Uber is not a shining example of ethical practices, but could this be a case of genuine bug bounty?
Lol sounds like a settlement but without the lawyers.
So he's doing corporate espionage stuff now?
I see Florida Man has made the news again