Logo

DOSarrest Vulnerability Testing and Optimization
Navigation
  • Home

Uber’s website was hacked to display an ad for rival company Lyft

on June 14, 2015 |
Stop DoS

A flaw in Uber’s website let a hacker take over a page and do whatever he wanted to it. Thankfully, security researcher Austin Epperson didn’t try to steal personal details or spread malware, instead he used the hack to display an ad for Uber’s arch-rival Lyft.

Epperson was able to hack Uber through a flaw in a new petition it launched to try to convince the local government in San Francisco to allow the company to operate on Market Street.

Uber’s petition let Epperson enter the word “zipcode” as his zipcode in the petition form. That’s a red flag — online forms should only accept numbers for that field.

Epperson tried entering special characters (things like # and <), and was able to submit them. That’s another big problem for an online survey, as allowing special characters to be submitted means that hackers can enter code into websites and take control of them.

The security researcher used the flaw in Uber’s petition to prank the company. Epperson inserted code into the website that made it display the homepage of Lyft, Uber’s biggest rival.

Epperson’s prank.

But Epperson didn’t stop there. He created a script to automatically enter code, and used different web browsers to enter over 1,000 signatures a minute. He modified the page to make it seem as if Uber was petitioning to turn Market Street in San Francisco into a giant slip & side.

Epperson discovered after the hack that Uber had copied and pasted the code for its petition from a web tutorial on how to create a “simple” online contact form. This was a serious slip-up by Uber — hackers could have used the vulnerability to enter malicious code that spreads malware, find the personal information of everyone who had signed the petition, or to post a scam link on the site.

Uber eventually took down all of its online petitions following the hack, and there’s no evidence that any personal data was stolen due to the vulnerability. We reached out to Uber for comment on this story and will update this article if we hear back.

Source: http://www.businessinsider.com.au/uber-website-hacked-to-display-ad-for-lyft-2015-6

Share this story:
  • tweet

Recent Posts

  • Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

    July 15, 2021 - 0 Comment
  • A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

    June 16, 2021 - 0 Comment
  • ‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

    June 12, 2021 - 0 Comment
Comments are closed.
DOSarrest ad

Keep updated with the latest DDoS Attacks

RSSSubscribe
  • Home
  • Latest News
  • Contact
  • Sitemap
© Copyright 2013. All Rights Reserved. Web Development by: 6folds Marketing