Wednesday 17 June 2015

Visitors Uber-Petition Sent Via Leakage To Competitor


Vulnerability in a petition page of taxi app Uber made it possible for the researcher who discovered the problem visitors could forward it to competitor Lyft. Uber was on its website a petition initiated by users of the app were called to signs.

Researcher Austin Epperson also received the request and immediately discovered that there were all sorts of characters could be completed in the petition form. The problem was compounded by the petition page the last five signed petitions were presented. Epperson He further discovered that could add an iframe to be completed petition, which he visits automatically competitor Lyft.com sent it. Visiting the petition in this case was sufficient to be forwarded. According to the researcher, however, had the leak can be used for far more dangerous things, such as spreading malware or defrauding visitors through a scam page.

To ensure that his petition with code still on the page appeared Epperson discovered another problem, which he eventually using a program 1,000 petitions able to fill every minute. "I stopped when the count had reached 106,000 signatures," so let him into an explanation of the problems found knowledge. After being informed by the investigator Uber took the site from the air, which at the time of writing is still not online. Epperson further states that the developer of the petition page script one-to-one copied from an online manual, which is precisely that it is a simple contact form.

No comments:

Post a Comment