XSS in getrush.uber.com
The first vulnerability I found for Uber’s bug bounty was a reflected XSS in getrush.uber.com
. It was caused by Uber not escaping the utm_campaign
, utm_medium
, and utm_source
parameters at getrush.uber.com/business
. It could be exploited by injecting </script><script>alert(0)</script>
into any of those parameters.
I reported this to Uber on March 22nd, it was triaged the same day, and patched on the 23rd. A 3000 dollar bounty was awarded on April 6th. You can see the original report (including a few markdown errors…) here.