Account Takeover

Uber: Petition Hack was Preventable

June, 13, 20192 min Read

On the 20th of June, an anonymous person decided to “break” Uber’s petition site. They then automated a process which resulted in over 100,000 fraudulent signatures in under 3 hours, effectively rendering the petition useless. The second step could have been avoided if they were using Arkose Labs.

It’s important to note that the first step, the actual breaking of the website through code exploits, isn’t something Arkose Labs (or any other CAPTCHA service) is designed to prevent. The information fields (First Name, Last Name etc) accepted any form of input. This allowed the anonymous vigilante to break the web page and even direct future visitors to Uber’s competitor, Lyft. Not cool right?

The perpetrator then listed what other malicious acts could be carried out through exploitation of the weakness:

Pretty serious stuff. However, this post isn’t about the HTML exploits. Instead, we’re looking at how 100,000 signatures were signed up within 3 hours because the petition didn’t have anything in place to verify if that the signatures were submitted from a genuine source.

This is something Arkose Labs specializes in: we ensure that all activity through petitions, contact forms and surveys is genuine. If it isn’t, websites start to see Non-Human Traffic, which skews the results, leading to uninformed decisions and a misunderstanding of what your users or fans want. No-one, especially businesses, likes to waste their time and money — but without a secure method of verification, that’s exactly what happened to Uber in this case. Don’t worry Uber, we still love your friendly drivers and minty refreshments.

Simply put: if you plan on setting up a petition, a contact form or a survey — use Arkose Labs and avoid the headache that spammers cause.