Vulnerability Management

XSS vulnerabilities found on TripAdvisor and Uber websites

Share

A security researcher has uncovered four cross-site scripting (XSS) vulnerabilities on travel site TripAdvisor, a day after an XSS vulnerability was found on the website of private car service Uber, according to posts on xssposed.org.

The
TripAdvisor vulnerabilities, reported by a security researcher that goes by the handle Nasrul07, made it possible for hackers to modify page contact and execute attacks to steal user credentials and post false reviews on the site. As of the researcher's post on Tuesday, the vulnerability remains unpatched.

In a comment emailed to SCMagazine.com, TripAdvisor said, “Protecting the security of our customer information is paramount. Two of the potential vulnerabilities reported we had previously fixed. The other two that impacted a couple of our site pages we had recently learned about, took immediate steps and have already fixed the issue on the site. There is no evidence that any consumers were impacted, and we will continue to monitor.”

The flaw reported on Uber, by a researcher that goes by E1337, would allow the theft of visitors' cookies, personal details and browser history as well as authentication credentials. 

The discovery comes at an inopportune time for Uber, which recently announced a $50 billion financing round in preface to its IPO.

UPDATE: This story has been updated to include a statement from TripAdvisor.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.