Searching on Google for "site:trip.uber.com" may end up showing information on Uber rides unknown persons took with the service, as Mikko Hypponen, chief research officer for F-Secure, has discovered.
This is not technically a data breach, because URLs to these ride pages are being shared by their users on Twitter or other social media services, as a way to let family or friends know when they are arriving at a particular destination, Joe Sullivan, Uber's chief security officer, has explained.
The data shared by users shows information about the ride's start and end points on a map, the driver's name and image, along with the car's type, model, and license plate number.
Digging in the page's source code, h@ckz0rz can find additional metadata like the exact geographical coordinates for the start and end locations, along with timestamps for the pick-up and arrival times.
While this may not be worrisome since the users choose to share this kind of data on Twitter, Uber could have done more to encrypt ride details in the source code, while also preventing search engines from accessing these pages.
Tech site ZDNet, which first reported on this issue, found private details of Uber users from countries like the US, UK, Russia, Indonesia, India, and the Philippines. Other users reported ride details for users in other countries like France and Mexico.
Searching for stuff on https://t.co/HXxwZnnWAW gets you information like this. pic.twitter.com/lfQlbN806W
— Mikko Hypponen (@mikko) September 2, 2015
@mikko We found that all of these links are deliberately shared by users. Our user data is critical; will look for ways to further improve.
— four (@four) September 2, 2015