Uber’s Petition Website Hacked To Redirect To Lyft Homepage

A security researcher says he was able to hack Uber's petition website to display a joke petition and rival Lyft's homepage.

A security researcher says he was able to hack Uber’s petition website to display a joke petition and rival Lyft’s homepage.

It’s no secret that ride-sharing companies Uber and Lyft have enjoyed a spirited rivalry in recent years. Over the weekend, a security researcher inserted himself into the crosshairs of the two ride-hailing services by exploiting a vulnerability in Uber’s petition website that allowed him to showcase and redirect visitors to Lyft’s homepage, while also changing the content of some petitions. Now he’s warning the company – and others like it – to take precautions when using petition and contest websites, as they might prove to be a welcome mat for malevolent hackers.

Business Insider reports that security researcher Austin Epperson used a flaw in Uber’s online petition site to show how easy it can be for a hacker to takeover a website through simple content forms. He says Uber customer information was never at risk.

In a post to his blog “This Should Be Fixed,” Epperson says that the prank began after he started researching “popular petition and contest websites that have zero security for preventing fake entries.”

After discovering that an Uber petition to convince San Francisco to allow the company to operate on Market Street would accept input other than digits in the ZIP code field, he decided to find out what else he was capable of doing to the site through the contact form.

In the end, he determined that the form would accept just about everything, including an iframe that allowed him to direct Uber’s petition visitors to Lyfy’s website.

Epperson was also to create a script that automatically entered signatures on the petition at a rate of about 1,000 per minute and changed the wording of the petition to include turning Market Street into a slip and slide, Business Insider reports.

According to Epperson’s blog post, the hack was live for about two hours. He says he contacted Uber about the issue and the company eventually removed all petitions for the time being.

While both the hacker and Uber say that the safety of customer information was never at risk during the prank, Epperson says that someone with more sinister intentions could have caused serious damage to the site and its visitors.

“Thanks Uber for making it so easy to manipulate your website,” he says in the post. “It’s been a great educational experience, but please don’t do this again. Whoever wrote your script was in a hurry to get home. Whoever developed your webpage literally copied and pasted code from an online tutorial that promotes itself as being very simple code. I’m serious.”

Uber did not immediately return Business Insider’s request for comment on the situation.

Uber’s website was hacked to display an ad for rival company Lyft [Business Insider]
I broke Uber [This Should Be Fixed]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.