A hacker has forced Uber to take its online petition site down after exploiting a vote-spamming flaw which he said was “super easy for the developer of the website to prevent”.
The hacker, going by “Austin”, found the flaw on 12 June after searching Google for petition and contest sites with the intention of writing a blog post about how both tend not to be secure against fake entries.
Finding an Uber petition asking for access to Market Street in San Francisco as a featured result, he realised it was being hosted by the company itself and wondered how smart it was.
The answer, apparently, was not very.
When Austin discovered that he could enter his zipcode as “zipcode” rather than a traditional postal identifier, he decided to play around with the web form to find out what else it would accept.
The answer was pretty much anything, meaning he was able to insert comment indicators (<!- and ->) as well as insert an iframe which he used to direct visitors to Uber’s petition site to rival site Lyft.com. That diversion stayed in effect for two hours.
Austin, who said that he had not attempted anything more malicious, highlighted a few examples of what else could be done with Uber’s petition site, such as inserting malware or phishing links.
Commenting on the ease of the attack, Austin said:
Thanks Uber for making it so easy to manipulate your website. It's been a great educational experience, but please don't do this again. Whoever wrote your script was in a hurry to get home. Whoever developed your webpage literally copied and pasted code from an online tutorial that promotes itself as being very simple code. I'm serious.
The hacker, who says he threw 100,000 signatures at the online petition using various clicking scripts, even overlaid his own webpage at one point, suggesting visitors should add their endorsement to turning a road into a slip-and-slide “party machine”.
In an update to his post, Austin said he told Uber about the issue a couple of days before he told the world:
At the same time as I started this demo, I notified someone at Uber who immediately notified the appropriate people. I had also contacted Uber a couple days ago informing them I had found an exploit that I was preparing to reveal in this manner. Uber took down the website and redirected the page to their employee login portal first. It now no longer redirects the page; however, it asks for server authentication when anyone tries to load the page. They emailed me saying they are working on it.
Austin finished his blog post by suggesting that Uber could fix its site by limiting the rate of submission inputs and by at least partially validating inputs.
The petition site is still down.
Uber has had its fair share of security and privacy issues in the past. In February this year, an internal lost and found database containing customer and driver information was made public for a short while.
Source: Naked Security