
I broke Uber - chermanowicz
http://thisshouldbefixed.dreamhosters.com/2015/06/i-broke-uber/
======
alialkhatib
previous discussion with author's responses here:
[https://news.ycombinator.com/item?id=9715730](https://news.ycombinator.com/item?id=9715730)

------
aidos
For those following along at home, don't do this. Ever. a) it's really
annoying for the developers who have to stay late dealing with the fallout and
b) if you get caught, you could be in a lot of trouble.

Whoever wrote this is very pleased with themselves but it's trivial stuff in
the web industry. Here's a hint for next time - you don't need a web browser
to do these sorts of attacks. Read up, you'll learn something - try and use
that knowledge for something productive next time around.

On a slightly sarcastic node, multiple VMs for a scraping attack #lol /s

------
inglor
tl;dr - found an XSS via HTML injection on an Uber petition page.

What they did was a pretty basic XSS attack. The fact they were successfully
able to do this is a major problem for Uber basically. Not escaping arbitrary
user input you're showing is not something that should ever go to production.

This is pretty embarrassing. It happens, but facilitating code review, pen
testing (even automated pen testing) and QA should definitely catch it.

Update: Based on more data from the author this is a faulty Wordpress plugin
which they used.

------
andor
With great power comes great responsibility... if you don't want to be labeled
a script kiddie, just send an email next time.

------
madaxe_again
When corporate law gets hold of this, brace yourself for jail time. This is
"unauthorised access" under CFAA.

~~~
sccxy
True.

I got into trouble for simple JS alert window XSS...

------
yandie
He didn't break Uber, he broke their petition page.

Admittedly, Uber fucked up. But the title is misleading...

------
inglor
I wonder, why did this get nuked?

------
Zekio
I love the last video, Glad I'm not in the shoes of the guy who was set to
make the website xD

