back to article Uber petitions page p0wned, thanks to textbook code

Uber has pulled its petition sites offline after a hacker exploited web vulnerabilities lodging 100,000 fake votes and redirecting visitors to rival Lyft. The hacker known only as "Austin" could not be reached at the time of writing. Uber has been contacted for comment. Austin says the petition site Uber hoped to use to lobby …

  1. Dan 55 Silver badge

    I'd expect nothing more from Uber.

    However I do think tutorial code should incorporate basic security from the start, if it's an afterthought in tutorials then it's also going to be an afterthought in real code because developers have been trained that way.

    1. Christoph

      The usual tutorial shows a very simple example to make it easier to understand, then a lot later on mentions that by the way you shouldn't actually use that without some security.

      Which is very bad when reading through to learn code. But it's terrible if you're flipping through it for a quick example of how to do something.

    2. Alister

      The trouble is, adding security to code inevitably increases the complexity of the code, (depending on the language, enormously so) and therefore "simple" tutorials to illustrate basic functionality are mostly written without the security additions.

      Any reputable writer will include a disclaimer that states that the code should not be used "as is" in a production environment.

      Unfortunately, developers, being human - and also in certain cases being under time pressure from management - will tend to pick the quick and easy solution, and copy and paste the simple tutorial, rather than the more complex ones showing how it should be done properly.

      1. Anonymous Coward
        Big Brother

        "Unfortunately, developers, being human - and also in certain cases being under time pressure from management - will tend to pick the quick and easy solution..."

        Now they will be under a different sort of 'pressure.'

        There may be quick and easy solutions too.

    3. sysconfig

      Tutorial is a very broad term...

      Anybody can stick some code into a blog or wiki and call it a tutorial. And sure enough, the internet being what it is, someone even less knowledgeable will copy and paste it, and use it on production sites. Q.E.D.

      So you can't really mandate what a tutorial must or must not include, unfortunately. You'd think that any respectable company which depends on the internet to generate business would hire knowledgeable people who do not need random tutorial code and certainly wouldn't just paste it. Oh well...

      1. Mike Moyle
        Trollface

        Re: Tutorial is a very broad term...

        "You'd think that any respectable company which depends on the internet to generate business would hire knowledgeable people..."

        But this is Uber, so they're probably "independent contractors" and Uber isn't responsible for any screw-up.

        Oh, wait...

  2. Velv
    FAIL

    The Bigger Picture

    Its easy to laugh at simple screw-ups like this. And what's the harm. So some links were redirected to a different service, big deal.

    Well it is a big deal. If Uber (and more importantly its parent) can't get the basics in place, have you really got confidence in how they handle your personal information, name, address, dob, CREDIT CARD. Or their "we verify every driver" claims...

  3. drtune

    This is news?

    Newsflash: n00b hacker fucks about with web form written by intern. More news at 11

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like