The infosec researcher allegedly behind the GoGet hack

The man charged by police for allegedly hacking into the database of Australian car sharing start-up, GoGet, has been revealed as cyber security researcher and blogger, Nik Cubrilovic, according to Fairfax Media.

Cubrilovic, a self-confessed “former hacker turned security consultant”, is known for helping to uncover vulnerabilities within the Federal Government’s MyGov website, Fairfax Media reported on 31 January.

He also discovered that a package released as part of Yahoo’s Axis browsing tool in 2012 included the private crypto key used by the company to sign the extension, leaving anyone able to build Yahoo-signed Chrome extensions.

"With access to the private certificate file [private key] a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo," Cubrilovic said in a blog post at the time.

Now, Cubrilovic has been identified as the man charged on 31 January by detectives from the NSW Police Cybercrime Squad for allegedly gaining unauthorised access to GoGet’s database on various occasions.

The NSW Police said on 31 January that detectives had charged a 37-year-old man from the Illawarra region in NSW. The unnamed man, who was initially refused bail, was set to appear at Wollongong Local Court on 31 January.

The man, now identified as Cubrilovic, was charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.

The Police said that detectives from the State Crime Command’s Cybercrime Squad established Strike Force Artsy to investigate unauthorised access to the administrative section of GoGet’s website in July last year.

Investigators subsequently identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded.

Police allege in court that the information obtained by the suspected hacker was used to access vehicles without consent on more than 30 occasions between May and July 2017.

GoGet emailed current and former members on 31 January notifying them of an incident that involved unauthorised activity on its systems, and that customer data had been compromised as a result of the hack.

“Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet’s systems in an attempt to use GoGet vehicles without permission,” the company said.

“In the process, as part of his overall activity on the system, it also appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account,” it said.

GoGet stressed that payment card details that may have been provided by customer were not affected by the incident.