A flaw in Uber’s website let a hacker take over a page and do whatever he wanted to it. Thankfully, security researcher Austin Epperson didn’t try to steal personal details or spread malware, instead he used the hack to display an ad for Uber’s arch-rival Lyft.
Epperson was able to hack Uber through a flaw in a new petition it launched to try to convince the local government in San Francisco to allow the company to operate on Market Street.
Uber’s petition let Epperson enter the word “zipcode” as his zipcode in the petition form. That’s a red flag — online forms should only accept numbers for that field.
Epperson tried entering special characters (things like # and <), and was able to submit them. That’s another big problem for an online survey, as allowing special characters to be submitted means that hackers can enter code into websites and take control of them.
The security researcher used the flaw in Uber’s petition to prank the company. Epperson inserted code into the website that made it display the homepage of Lyft, Uber’s biggest rival.
But Epperson didn’t stop there. He created a script to automatically enter code, and used different web browsers to enter over 1,000 signatures a minute. He modified the page to make it seem as if Uber was petitioning to turn Market Street in San Francisco into a giant slip & side.
Epperson discovered after the hack that Uber had copied and pasted the code for its petition from a web tutorial on how to create a “simple” online contact form. This was a serious slip-up by Uber — hackers could have used the vulnerability to enter malicious code that spreads malware, find the personal information of everyone who had signed the petition, or to post a scam link on the site.
Uber eventually took down all of its online petitions following the hack, and there’s no evidence that any personal data was stolen due to the vulnerability. We reached out to Uber for comment on this story and will update this article if we hear back.