A security researcher has uncovered four cross-site scripting (XSS) vulnerabilities on travel site Uber, a day after an XSS vulnerability was found on the website of private car service Uber, according to posts on xssposed.org.
The Uber vulnerabilities, reported by a security researcher that goes by the handle Nasrul07, made it possible for hackers to modify page contact and execute attacks to steal user credentials and post false reviews on the site. As of the researcher’s post on Tuesday, the vulnerability remains unpatched.
The flaw reported on Uber, by a researcher that goes by E1337, would allow the theft of visitors’ cookies, personal details and browser history as well as authentication credentials.
The discovery comes at an inopportune time for Uber, which recently announced a $50 billion financing round in preface to its IPO.