A rogue employee at rideshare behemoth Uber created and deployed a piece of information-gathering software in order to help his company get a leg up on the local competition in Australia, according to a report.
The so-called “secret spyware program” was dubbed Surfcam, and was developed by the employee in 2015, according to an unnamed source who said he or she was a former senior Uber employee. The person told the Australian Broadcasting Corp.’s Four Corners team that the purpose of the malware was to allow Uber drivers to poach drivers from a ride-share competitor called GoCatch.
GoCatch launched as a homegrown start-up in 2012, with backers that included international hedge-fund manager Alex Turnbull (who is also the son of former Australia Prime Minister Malcolm Turnbull).
“Surfcam when used in Australia was able to put fledgling Australian competitors onto the ropes,” the former employee said in the report. “Surfcam allowed Uber Australia to see in real time all of the competitor cars online and to scrape data, such as the driver’s name, car registration and so on.”
The source alleged that Uber used the intel to give competitive employment offers to GoCatch drivers to lure them away from working for the startup.
“GoCatch would lose customers due to poaching of its drivers, draining their supply. With fewer and fewer drivers, [the idea was that] GoCatch would eventually fold,” the purported former Uber employee said.
GoCatch in fact did not go out of business, but “the fact that Uber used hacking technologies to steal our data and our drivers is appalling,” GoCatch’s co-founder and chief executive, Andrew Campbell, told the outlet. “It had a massive impact on our business.”
Meanwhile, an Uber spokesperson told Threatpost that the allegation that Surfcam was or is a “spyware” is far overstating its capabilities.
“This employee didn’t even know how to code,” she said, disputing the notion that Surfcam is a sophisticated hacking tool that tracked the personal information of drivers. “He pulled a script off the internet and modified it to simply crawl publicly available information from websites. That’s not spyware. Unless those sites were leaking personal data, I don’t see how Surfcam could have obtained it.”
It should be noted that this isn’t the first time that Uber and Surfcam have been in the headlines; in 2017, Bloomberg reported that the code was deployed in Singapore, against Grab, the local ride-share competitor there.
“Surfcam, which hasn’t been previously reported, was named after the popular webcams in Australia and elsewhere that are pointed at beaches to help surfers monitor swells and identify the best times to ride them,” Bloomberg said in that report. It added that it “scraped data published online by competitors to figure out how many drivers were on their systems in real-time and where they were.”
Until the ABC report, it was thought that the effort to undermine Grab — which became more popular in the city-state than its multinational rival and last year bought Uber’s assets in the region — was Surfcam’s only outing.
For its part, Uber is unaware that Surfcam was ever used in Australia, according to the spokesperson, who thus did not confirm the ABC source’s claim that it was deployed against GoCatch.
Interestingly, ABC’s source said that at the time Surfcam was in use in Singapore, Uber’s management back in California was also unaware that the software had been developed or used. An employee in the Sydney office took it upon himself to modify off-the-shelf code (no word on which web-crawling kit he used) for Uber-specific purposes.
That same developer then moved to Southeast Asia, where he apparently brought Surfcam with him in order to put the squeeze on Grab in Singapore.
Once Uber found out about Surfcam’s existence, its use was prohibited, according to the source, according to an Uber Australia spokeswoman speaking to ABC and according to the Uber spokesperson contacted by Threatpost.
Bloomberg meanwhile said in the 2017 report that the employee eventually moved to Uber’s European headquarters in Amsterdam and is still employed by the company.
Uber’s alleged use of Surfcam happened at a time when the company was fighting several legal battles and had landed in privacy turmoil more than once. In 2017 for instance, it agreed to 20 years of privacy audits as part of a settlement with the FTC over its “God View” function, which allowed the company to monitor and log the real-time locations of customers and drivers without their consent.
“It’s fair to say that there were some questionable tactics back in the day that were used to convince drivers of rival services to join Uber,” the spokesperson told Threatpost, citing one practice where Uber employees would book rides with other services and then spend their time in the car trying to convince the driver to switch. “But that was the past, and Uber as a company never created or deployed so-called ‘spyware.'”
Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” TODAY, Wed., Mar 20, at 2:00 p.m. ET.
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.