Taxi app Uber plugs 'privacy-threatening' web security flaw

Forget VW, watch out for the XSS bug

Updated A potentially nasty XSS vulnerability discovered on the website of controversial ride-sharing service Uber has been fixed, according to the security researcher who reported the bug.

The cross-site scripting vulnerability put visitors at risk of being compromised via theft of cookies, personal details, authentication credentials and browser history, the researcher claimed.

El Reg contacted Uber to request comment on Tuesday. We've yet to hear back with anything substantive, but the ride-sharing firm said it was looking into the issue. We'll update if we hear more. Meanwhile, reports that the flaw - discovered on Sunday - was patched on Monday.

Cross-site scripting (XSS) problems make it possible to introduce arbitrary content under the control of hackers while presenting it as if it had originated from the original website, opening up the door to more convincing phishing scams and worse in the process.

XSS flaws like the one reportedly suffered by Uber are a well-known security risk but nonetheless commonplace. ®


We received this comment from Uber after publication: "The patch is fixed and there are no vulnerabilities/risk"

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022