Your IT Consultant

Another Uber Screw-up: How Not to Deal with Password Resets

May 21, 2015

Two days ago we were in Philadelphia lecturing about cloud security. One of the ways to send confidential information via e-mail is to password protect a Word document, which encrypts the contents. We mentioned that you should not include the password in the same e-mail that has the Word attachment. That comment drew a chuckle from the audience. It was pretty obvious that nobody from Uber was in the audience since they would think it is perfectly fine to send password resets in clear text. At least that’s what Naked Security reported.

As the story goes, Isabelle Berner was taking a lot of Uber rides in the UK even though she lives in New York City and hasn’t been to the UK recently. Of course her Uber account was hacked so she immediately changed her password and notified Uber support. Shocker, but her account was hacked again. The problem is that Uber sends the reset password in plain text instead of providing a link back to its website to facilitate the reset. Apparently, Uber is the modern day manifestation of Forrest Gump’s “Stupid is as stupid does.”

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com