Uber makes it easy for users to share their estimated time of arrival (ETA) with family members or friends, but sensitive information appended to some of these ETA shares were recently unearthed via Google search results. About a day after the revelation, Uber announced something of a fix.
On Thursday, ZDNet reported the discovery that a Google site search for “trip.uber.com” yielded a list of past Uber trips dating as far back as 2013. A page for a shared trip showed a map with arrival and destination information, along with the route, the driver’s first name, and the passenger’s first name.
But the real creepiness began when you examined the page’s code and found metadata like exact address information, exact trip dates, and exact trip times.
“By cross-referencing the search results with other public information, such as social media accounts, it took just a few minutes to get one Uber passenger’s full name, job description, and other sensitive personal information — including a reasonable guess why that person took the trip in the first place,” according to ZDNet.
Jon Sullivan, chief information security officer at Uber, noted that “all of these links are deliberately shared by users” and said the company would look into the matter.
Since the discovery, Uber has pulled down the searchable database found at trip.uber.com. The company has also changed the shelf life of “Share Your ETA” links so they expire after 48 hours. However, Uber is keeping the “Share Your ETA” feature around, which still allows people with those links to look at the page’s source code and see the exact address entered by the rider.