Taxi app Uber plugs 'privacy-threatening' web security flaw

Forget VW, watch out for the XSS bug

Uber - living the dream

Updated A potentially nasty XSS vulnerability discovered on the website of controversial ride-sharing service Uber has been fixed, according to the security researcher who reported the bug.

The cross-site scripting vulnerability put visitors at risk of being compromised via theft of cookies, personal details, authentication credentials and browser history, the researcher claimed.

El Reg contacted Uber to request comment on Tuesday. We've yet to hear back with anything substantive, but the ride-sharing firm said it was looking into the issue. We'll update if we hear more. Meanwhile, xssposed.org reports that the flaw - discovered on Sunday - was patched on Monday.

Cross-site scripting (XSS) problems make it possible to introduce arbitrary content under the control of hackers while presenting it as if it had originated from the original website, opening up the door to more convincing phishing scams and worse in the process.

XSS flaws like the one reportedly suffered by Uber are a well-known security risk but nonetheless commonplace. ®

Update

We received this comment from Uber after publication: "The patch is fixed and there are no vulnerabilities/risk"

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018