Uber Petition Website Hacked- Hacker Uploaded Ad of Rival Firm Lyft

Due to a security flaw, researcher Austin Epperson took control of a page of Uber’s website and displayed the ad of its arch-rival Lyft.

Security researcher Austin Epperson proved that Uber’s website was exploitable by hacking one of its micro-site. However, Epperson didn’t steal personal data nor did he spread any malware but to prove his point he displayed its rival firm Lyft’s ad.

Epperson was able to exploit Uber’s webpage through a flaw in a new petition, which was launched to convince San Francisco government to let the firm operate on Market Street.

Image Source: This should be fixed.
Image Source: This should be fixed.

Uber explained that the micro-site that got hacked wasn’t linked to any user login database.

Epperson used Uber’s petition and let the word “zipcode” be submitted as his zipcode. This was a red flag, which online forms use to only accept numbers for that field.

He also tried to enter special characters such as # and < and it was accepted. This was another setback for an online survey because letting special characters be submitted means hackers can take control of the website easily by submitting any code.

Epperson used this flaw in Uber’s petition to trick the company. He not only displayed Uber’s rival firm Lyft’s ad but also created a script through which users can enter code automatically. He also entered more than 1,000 signatures per minute using numerous different web browsers. He also changed the page to make it appear as it Uber was petitioning to convert San Francisco’s Market Street into a big slip & slide.

Epperson revealed that when the hack was done, Uber copied and pasted the code for the petition from an online tutorial about creating a basic online contact form.

This can be termed as Uber’s serious slip-up and hackers could have easily utilized this weakness to enter malicious malware code. This way, attackers could have gained access to personal information of everyone who signed the petition.

Eventually, all of its online petitions were taken down by Uber after the hack and there’s no proof that personal data of any user got stolen due to this flaw.

Watch the video of hack uploaded by hacker:

This is not the first time when something related to Uber was hacked. In past, Uber suffered a massive database breach, exposing data of its 50,000 drivers, following with the hack of Uber USA customers.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.