
Uber employees secretly tracked politicians and celebrities, lawsuit claims - bhauer
http://www.theverge.com/2016/12/12/13920258/uber-employees-tracking-celebrities-security-lawsuit
======
HappyTypist
Here's the URL to Heaven:
[https://heaven.uberinternal.com/](https://heaven.uberinternal.com/)

Heaven shows a top down view of all drivers in a city, updated live and with
historic time travel capacity. Uber employees with 'tools access' can open
heaven in for any city in any country.

Heaven has many filters and overlays. For example, you can see an indicator
every time a rider opens the Uber app (nickname: eyeball).

You can click on a car to see the driver's name, photo, and their license
plate. If they are on a ride, you can see the riders information with another
click.

You can also search directly for a rider or driver with their name, email OR
phone number. You can also write SQL that is executed on a read only replica
that contains 99% of the Uber database; the only columns that are excluded are
credentials (I.e. Braintree payment tokens, password hashes).

While access is logged, spot checks are practically unheard of and SQL exports
of _all_ drivers and/or riders of a particular city is commonplace and not
questioned; and these CSVs can be obviously queried offline without a paper
trial.

Some employees have the ability to remove entries from access logging.

~~~
avn2109
Imagine how many intelligence agencies have penetrated this and how amazed
they must be at their good fortune.

------
VicVee
A sad truth that no tech company is actually going to start off with an
internal data security and access keys and rules surrounding such things.

I mean, its inconvenient, sure, but damn why is it nobody cares about security
until something actually happens.

Question: IS this actually illegal though? Pretty sure if godmode were illegal
in apps/sdks, half of the valley could be sued right now. What are the
specifications on that?

------
oriel
These kinds of shenanigans are exactly why I deleted my account years ago and
haven't used the app since.

------
acchow
They don't have data access controls and monitoring?

Doing something like this at Facebook would get you promptly fired.

~~~
jgalt212
Now, it would. But I think things were much different in the early days of
Facebook. That's not to excuse Uber's current or recently current behavior.

~~~
HappyTypist
_Very_ originally Facebook used no version control, and code was managed
manually via FTP.

In login.php, there was a specific magic password that authorised you into
every account. No one bothered to change it even after employee departures.

