Uber has fixed a gaping privacy hole which left ride details for some passengers visible in Google searches, with full address information available even months after the journey. The glitch was a side-effect of Uber’s “Share my ETA” feature, launched in 2013, which allows users to show others the progress of their trip.
After choosing “Share my ETA” in the Uber app, the user would get a shareable link that opened up a map of the journey, the final destination and how long it would take to reach it, and information on the driver themselves.
Although Uber intended the feature to be used to give real-time notifications of the progress of someone’s ride, the information in the links was sticking around long after the journey had been completed.
If the rider posted the link somewhere publicly, search engines like Google would index the ETA data. A search for “trip.uber.com” turned up many results, each of which had pickup and destination address, the route traveled, the driver’s name, car, and rating, and the name of the rider.
Luckily for Uber, credit card details used to pay for the trip were not part of the data.
Now, Uber tells Business Insider, “Share my ETA” links will be set to expire 48 hours after they are generated. Any publicly available pages still in existence have also been wiped.
It’s worth noting, however, that the source code of the ETA page does include origin address information, though that location isn’t visible on the page itself. Someone with a mind to figure out where you were traveling from, and with access to the link within that two day window, would be able to sift through the source and pull the details out from there.