Connect with us

Hi, what are you looking for?



Uber Passenger Ratings Exposed via JavaScript Hack

The rating given by Uber drivers to their passengers could have been accessed until a few hours ago by simply pasting a piece of JavaScript code into a Web browser’s console.

The rating given by Uber drivers to their passengers could have been accessed until a few hours ago by simply pasting a piece of JavaScript code into a Web browser’s console.

Uber is an increasingly popular mobile application that allows users to instantly book a private car or taxi. The app enables users to rate their drivers, but the drivers themselves can also rate passengers. However, under normal circumstances, passenger ratings are directly available only to other drivers.

On Monday, software enginner Aaron Landy published a blog post containing instructions on how passengers could see their ratings by simply logging in to their accounts and executing a piece of JavaScript code in the Web browser console. After running the code, which makes a call to the Uber Web API, users were presented with a pop-up window containing their name, email address and passenger rating.

Uber Rider Ratings Hack

A large number of users reported on Twitter that they had found their rating before Uber took some steps to block the hack.

Contacted by SecurityWeek, Uber refused to provide any explanation as to why it wants to prevent users from exploiting this trick. Instead, the company pointed us to a blog post published in April called “Feedback is a two-way street.”

“An Uber trip should be a good experience for drivers too – drivers shouldn’t have to deal with aggressive, violent, or disrespectful riders. If a rider exhibits disrespectful, threatening, or unsafe behavior, they, too, may no longer be able to use the service,” Uber explained in the post.

The company said at the time that it had been “exploring ways to show the rider’s rating in the next generation of the app.” In the meantime, it advised users to obtain their rating by asking the driver or by contacting customer support.

Advertisement. Scroll to continue reading.

 While this hack might have seemed harmless for many people, some Hacker News readers pointed out the security risks of copying and pasting a random script without fully understanding it. Scammers often use such methods to trick Internet users into handing over access to their online accounts. Facebook has even published an advisory to warn customers about these self-XSS scams.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.