Hackerone actively helped with the Uber extorsion payment

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence. (https://www.lexology.com/library/detail.aspx?g=41ef391b-d1a1-4f76-985f-38b5ea588e3e)

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.(https://www.lexology.com/library/detail.aspx?g=41ef391b-d1a1-4f76-985f-38b5ea588e3e)

With user data in possession,the hackers Glover and Mereacre created a Protonmail email address that they then used to contact the hacked companies.They began with Uber in early November 2016, when they contacted the company’s Chief Security Officer. The two hackers claimed they “found a major vulnerability,” and provided a sample of the stolen data.The two demanded a $100,000 payment in bitcoin, to which Uber agreed. The payment was handled via the company’s HackerOne bug bounty program, and Uber required the two hackers to sign a confidentiality agreement prohibiting the use of the data and public disclosure of the security breach. (https://www.zdnet.com/article/hackers-who-extorted-uber-and-linkedin-plead-guilty/)

Now Hackerone claim is that they process submissions and payments only and act independently and neutral , being just a liason between a company and the bug hunters. That claim is totally false. Hackerone staff always had access to bug reports . Even since 2016 (and probably earlier) they offered ‘managed services’ or ‘triage’ where they inspect the bugs before sending to clients. Hackerone can ban users by the content of a bug report.

The ransom asked in case of Uber was 100000 USD in bitcoin, much more than the maximum official reward of 10000 USD.

The bug was normally not in scope officially. So it should never have been rewarded. It was a vulnerability related to agithub repository and not listed in the official program description.

Hackerone during that period, lead by founder Jobert Abma, tried to wash the ransomware by banning users with ‘bad passports’ and provoking claims for rewards. This way Hackerone was trying to accuse legitimate bug hunters of extortion, showing that the company fights against ransomware.

The selection of participants to the Hackerone events is based on individual reports so a bug worth 100k should result in an invitation to the next hackaton. That didn’t happen.

At the time of the ransom payment there was no bitcoin option at Hackerone!The option was introduced most likely at the request of Uber to make the payment.

Hackerone actively helped Uber with the ransomware payment, was aware of the payment, was aware that was illegal. Hackerone and part of that staff should be prosecuted in that case.