The taxi-sharing app start-up, Uber, got it’s one of the most prominent features almost abused just with a Google search. ZDnet discovered that ‘Share your ETA’ links, shared by the users to their selected contacts while travelling alone or through shady areas, were publically accessible to almost anybody on this planet. Initial reports say that the company has disabled this feature temporarily.
A site-specific Google search was able to pull-off the results that were linked to the Uber’s website. Technically, it is not a breach, but the availability of the all those ride links on Google that were shared using the “Share your ETA” service. One could see the links containing details about on-the-way, cancelled and completed trips. For now, the company is going to make the links expire within 48-hours of initiation.
However, the solution is still not that secure as anyone with access to those links can view the person activities and travel map by sitting comfortably in the room. This can let the serious crimes happen against a targetted person as criminals are aware of taxi’s location at any moment.
What Uber is going to do is let the viewers view the taxi’s location only if they have an account with a verified email and contact number mentioned for the link. Apparently, most of the people have an account on the Uber and by using the credentials, it would be a lot easier for a person to share the details only with friends and family.
Joe Sullivan, Uber’s Chief Security Officer, explained that people often share their travel details on publically accessible social media websites such as Facebook and Twitter, and from there only the links are getting indexed in the Google. Uber will now advise the users to share their details only to the known people.
If we look at the security posture of any organization, then the loopholes are found in the most conspicuous places. It is the security researchers or bug hunters who unveil them and responsibly disclose to the authorized person.