Seeking to expose how online petitions have no security to prevent creating fake entries, researcher Austin Epperson targeted an Uber petition website and found that not only could he create more than a thousand fake entries per minute, but he could also redirect visitors to the website of an Uber rival.
It all began when Epperson found that the Uber petition form accepted ‘Zipcode' for his ZIP code, he wrote in a Saturday blog post. He then realized that he could submit any letters, numbers and other characters to the remaining boxes – first name, last name and email address – and that the page displayed a live feed of the five most recent signatures.
Why is that a problem?
“Because when a form freely allows people to use characters such as ‘?! the user can then change the code that is the fabric of the website,” Epperson wrote, going on to add, “I can type code in for my first name and their site will give my code to other visitors of the website.”
Epperson began his testing by putting an iFrame on the petition website that redirected users to another website – Uber rival Lyft.com. After it worked, he realized that he could potentially use the technique to infect the page with malware, post scams, and steal data submitted for the petition.
“I did not do any of these!” Epperson wrote. “Uber can check the 100,000+ submissions in their database and see exactly what code I inputted into their website. None of it was malicious.”
Epperson continued testing to see how effectively he could submit fake entries to the petition.
Using a free program called iMacros, Epperson was initially able to create about 15 signatures per minute. Later, he got it up to roughly 420 per minute because he found that the page does not have to be reloaded after each submission. Epperson then began the process in multiple browsers and was creating more than 1,000 signatures per minute.
Epperson stopped when the petition count hit about 106,000 signatures, roughly 90,000 of which he estimated were his own submissions.
“This was live for about [two] hours,” Epperson wrote. “At the same time as I started this demo, I notified someone at Uber who immediately notified the appropriate people. I had also contacted Uber a couple days ago informing them I had found an exploit that I was preparing to reveal in this manner.”
The petition website is currently down.
According to an Uber statement emailed to SCMagazine.com on Monday, “We immediately took corrective action. It's important to note the petitions were on a hosted external site, completely outside of Uber data centers with no access to Uber user data. No user data was compromised.”