Cyber Incident Victim: Uber Technologies Inc.
Date:
Jun 2015
Location:
United States of America
Summary
A ride-sharing company's petition microsite was compromised via a stored cross-site scripting vulnerability, enabling unauthorized code injection that defaced the platform with promotional content for a competitor and redirected visitors. The attacker exploited insufficient input sanitization to manipulate the live signature feed, inserting over 100,000 fraudulent entries and altering site functionality persistently until corrective measures were implemented. Security experts highlighted risks of potential malware distribution, credential phishing, and additional vulnerabilities like SQL injection, though the organization confirmed no user data was breached as the affected site operated externally without access to internal systems. The vulnerability disclosure process became contentious as the discoverer was deemed ineligible for recognition due to public reporting despite the absence of a financial bug bounty program.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2015, a security flaw on Uber’s petition.uber.org/sf/ microsite was exploited by Thailand-based blogger Austin Epperson, resulting in defacement and unauthorized redirection to competitor Lyft’s website. The vulnerability, identified as a stored cross-site scripting (XSS) flaw, allowed Epperson to inject unsanitized HTML code into the site’s live feed of recent signatures. This manipulation enabled him to alter page content, insert Lyft promotional banners, and automatically redirect visitors to Lyft’s site. Epperson claimed to have submitted over 100,000 automated signatures to maintain the altered state of the site, as new legitimate signatures would otherwise push his malicious code out of the visible feed. The defacement highlighted risks of more severe exploitation, such as malware distribution or credential phishing, particularly as Uber had been emailing users to solicit petition signatures. Epperson notified Uber of the flaw but was deemed ineligible for their non-monetary bug bounty program due to public disclosure. Security researcher Troy Hunt confirmed the severity of the persistent XSS vulnerability, noting it allowed untrusted data to alter page behavior for all users, and identified an additional SQL injection flaw that could expose database contents.
Uber responded by taking down the San Francisco petition page and implementing fixes across all its petition microsites, which Epperson claimed were universally vulnerable. The company emphasized that the compromised site was hosted externally, with no access to Uber data centers or user data, and stated no user information was breached. Concurrently, Uber faced unrelated scrutiny over allegations that drivers could submit fraudulent insurance documents during onboarding, prompting an investigation by Transport for London. The incident underscored operational security gaps in Uber’s third-party platforms, though the company contained the defacement swiftly. The lack of financial incentives in Uber’s bug bounty program also drew indirect attention amid the researcher’s disclosure.