back to article Taxi app Uber plugs 'privacy-threatening' web security flaw

A potentially nasty XSS vulnerability discovered on the website of controversial ride-sharing service Uber has been fixed, according to the security researcher who reported the bug. The cross-site scripting vulnerability put visitors at risk of being compromised via theft of cookies, personal details, authentication …

  1. John Lilburne

    Forget all about that malarky

    You order a ride from your house to restaurant, some unchecked driver turns up who now knows your home is empty for the next couple of hours.

    1. Robert Helpmann??
      Childcatcher

      Re: Forget all about that malarky

      ...the flaw - discovered on Sunday - was patched on Monday.

      Not bad at all. Now if they could work out some way of vetting their drivers, for obvious reasons...

    2. ItsNotMe
      Thumb Up

      Re: Forget all about that malarky

      And it would be nice if they could find a way to fix the "flaws" in some of their drivers, who have been beating passengers up, kidnapping passengers, running over pedestrians, raping passengers, and other "fun activities" performed by them.

      But hey...just think how much money you can save by using Uber. Probably enough to afford a lawyer...later.

    3. John Tserkezis

      Re: Forget all about that malarky

      "You order a ride from your house to restaurant, some unchecked driver turns up who now knows your home is empty for the next couple of hours."

      And when you leave a bad review because you find your house ransacked after you get home, next day you have three big boofy blokes at your doorstep dressed in suits who wish to have a "chat" with you.

    4. Anonymous Coward
      Anonymous Coward

      Re: Forget all about that malarky

      I thought that the privacy-threatening security flaw with Uber was **their own senior staff** looking through one's personal information about one's comings (literally) and goings.

  2. Anonymous Coward
    Anonymous Coward

    Oh good.

    Now we only have to worry about their *deliberate* privacy violations, rather than both deliberate and accidental ones.

  3. JCitizen
    Devil

    I'm not worried anyway!!!

    If they try to "boof" me, they will find out too late my CCW permit. And if they try to tap my home, they will run into my "gang" and some nasty booby traps! HA! I say the honey pot is worth it to catch some scabby bastards!

  4. Anonymous Coward
    Anonymous Coward

    Not a problem

    The minor website security issues are not a problem compared to the Uber driver who attacked and raped a woman.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading
  • Enemies Waymo, Uber now friends making self-driving-ish trucks for US highways
    When you think about it, it makes cents

    Waymo and Uber announced on Tuesday a "long-term strategic partnership" promising to work together to deploy autonomous freight trucks on US roads, years after both companies fought bitterly over self-driving technology. 

    The collaboration will see Waymo retrofitting trucks with its AI-powered driving software operating on Uber's logistics and network infrastructure. Shippers can tap into the Uber Freight service to connect with truckers willing to deliver their goods across the country. Vehicles running the Waymo Driver software will be able to complete part of the journey autonomously, although human drivers will still need to be present.

    "With trucking, we plan to first tackle highway driving," a spokesperson from Waymo told The Register. "It's a natural environment to start this deployment due to the large number of highway miles, which are often the most tiring stretches for humans to drive, and which are a large opportunity to improve efficiency in the industry."

    Continue reading
  • Indian government accuses Uber of jacking up prices for loyal customers
    Six ride sharing companies forced into consumer redress scheme

    India has accused ride-sharing companies of over-charging loyal customers who regularly take the same route, and directed six platforms to become part of a scheme that offers third-party grievance handling services.

    The directive to join the scheme was issued during a meeting with officials of India's Department of Consumer Affairs, attended by Ola, Uber, Rapido, Meru Cabs and Jugnoo. The platforms were advised to improve responses to customer concerns and rights and directed to become "convergence partners" in India's National Consumer Helpline. Such partners are required to accept and resolve consumer grievances reported to the Helpline.

    The Department said ride-sharing companies need to sign up for the helpline for reasons including that their algorithms set fares in ways that are not easy to understand – sometimes even charging loyal customers higher rates than first-timers on the same route.

    Continue reading
  • Uber, Meta to reduce hiring as stocks slide
    Is winter coming already for the US tech sector?

    Some tech companies are tightening their belts as they adjust to ongoing financial turbulence, with Uber and Meta both looking to reduce expenses and hiring.

    Uber CEO Dara Khosrowshahi told employees in an internal email that the ride-hailing service is going to try harder to stop losing so much money. Khosrowshahi's email, obtained by CNBC's Deirdre Bosa, begins, "It's clear that the market is experiencing a seismic shift and we need to react accordingly."

    The memo says hiring will be more cautious and promises cost cutting.

    Continue reading
  • Ex-Google, Uber AI heads launch ML error-detection platform
    'Soul-sucking' data problems were impetus for the founding of Galileo

    Machine learning alumni from Google, Uber, and Apple have started a new company to address errors in unstructured data.

    CEO Vikram Chatterji was previously product management lead for Google Cloud AI. CTO Atindriyo Sanyal was engineering leader for Uber AI's Michelangelo platform and was a founding engineer for SiriKit at Apple. VP of Engineering Yash Sheth led Google's speech recognition team.

    Galileo, their new venture, was founded in November 2021, operating under stealth until today's announcement.

    Continue reading
  • Union demands better deal for app drivers as Uber license renewal looms
    Mayor urged to enforce UK Supreme Court ruling

    Updated Gig workers have urged London Mayor Sadiq Khan to force Uber to give its app drivers a better deal on pay as the ride-hailing biz seeks to renew its license to operate in the British capital.

    The App Drivers and Couriers Union (ADCU) wants Mayor Khan to enforce a UK Supreme Court finding that Uber drivers are workers and not self-employed contractors.

    As workers, the app-hailed drivers are entitled to at least minimum wage and paid holidays, the union said. It went on to claim that due to the way Uber pays drivers, it doesn't meet minimum wage, and drivers should therefore get more money.

    Continue reading
  • App, security teams need closer bond to fend off cyberattacks
    Enterprises should shift left to protect themselves, says Immersive Labs

    Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.

    Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they're compromised by attackers.

    The end result should be to reduce the risk to the organization, Wright told The Register.

    Continue reading
  • DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
    Researcher tells world after being stonewalled

    There is a live cross-site scripting (XSS) vulnerability in takedowns website DMCA-dot-com's user interface. It's existed for more than a year and the site's operators don't appear to be interested in fixing it.

    Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

    "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS.

    Continue reading
  • Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k
    Now you see a harmless PNG. Now it's a malicious payload. Look into my eyes

    A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams.

    Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting (UXSS) bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

    Pickren told El Reg the flaw granted "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."

    Continue reading
  • Joint venture: Uber Eats to offer weed orders in Ontario
    O Cannabis! Meanwhile, ride biz back to court in the UK over driver contracts

    Uber Technologies' munchies delivery service, Uber Eats, has set its sights on another growth industry in the Canadian province of Ontario, Reuters reports.

    Yeah, it's weed. Canada legalised cannabis in 2018, and since then the market has taken off to be worth CAD$5bn (£2.9bn, $3.9bn) a year – helped along by the pandemic leaving tokers homebound with not much else to do but, well, toke.

    Uber CEO Dara Khosrowshahi has already made overtures to the marijuana market in the US, where the psychoactive plant has been largely decriminalised but remains illegal in some states, telling CNBC in April: "When the road is clear for cannabis, when federal laws come into play, we're absolutely going to take a look at it."

    Continue reading

Biting the hand that feeds IT © 1998–2022