A flaw in taxi cab network Uber’s site allowed a security researcher to manipulate the firm's home page and display an ad for rival Lyft, it has been claimed.
The flaw allegedly concerns Uber’s petitions, which appear to now have been taken offline. The security researcher, Austin Epperson, claimed that he was filling in an Uber petition on its site when he noticed that the form allowed non-numeric and special character inputs into a ‘zip code’ field.
Epperson published a blog post detailing the hack, which culminated in him using the unsecured form to post an iframe that redirected Uber site visitors to competitor Lyft.
Epperson wrote: “Someone with bad intentions could secretly infect visitors to Uber’s petition page with a virus, or put a legitimate looking scam on the webpage such as “Unlimited free Uber rides for one year! Only $299.. Pay here…”
He continued to castigate the cab firm: “Thanks Uber for making it so easy to manipulate your website. It’s been a great educational experience, but please don’t do this again. Whoever developed your webpage literally copied and pasted code from an online tutorial that promotes itself as being very simple code.”
Uber’s petition sites remain offline, according to IT blog The Register, and there is no evidence that any personal data was stolen due to the vulnerability. Business Insider reports that Uber has not commented on the claims so far.
This is not the first time this year that Uber has been criticized for its security, after a breach to its driver databased in March left 50,000 employees vulnerable to having their personal data stolen.
