A security researcher has uncovered four cross-site scripting (XSS) vulnerabilities on travel site TripAdvisor, a day after an XSS vulnerability was found on the website of private car service Uber, according to posts on xssposed.org.
The TripAdvisor vulnerabilities, reported by a security researcher that goes by the handle Nasrul07, made it possible for hackers to modify page contact and execute attacks to steal user credentials and post false reviews on the site. As of the researcher's post on Tuesday, the vulnerability remains unpatched.
In a comment emailed to SCMagazine.com, TripAdvisor said, “Protecting the security of our customer information is paramount. Two of the potential vulnerabilities reported we had previously fixed. The other two that impacted a couple of our site pages we had recently learned about, took immediate steps and have already fixed the issue on the site. There is no evidence that any consumers were impacted, and we will continue to monitor.”
The flaw reported on Uber, by a researcher that goes by E1337, would allow the theft of visitors' cookies, personal details and browser history as well as authentication credentials.
The discovery comes at an inopportune time for Uber, which recently announced a $50 billion financing round in preface to its IPO.
UPDATE: This story has been updated to include a statement from TripAdvisor.