An overlooked JavaScript plugin led to a dangerous DOM-based Cross-Site Scripting flaw exploitable across major browsers

Uber has been at the forefront of tech innovation for years, but even giants can stumble. In 2016, security researcher e3xpl0it reported a DOM-based Cross-Site Scripting (XSS) vulnerability on Uber’s eng.uber.com subdomain. The culprit? A popular jQuery plugin called prettyPhoto, widely used for creating image lightboxes — but also known for its outdated and unsafe code handling.

This bug was not only functional across Chrome, Firefox, and Internet Explorer, but also triggered instantly with a single malicious link. Let’s walk through the vulnerability, the vectors used, and how this simple bug could have led to a serious security impact.

Vulnerable Component: prettyPhoto

The prettyPhoto plugin had known vulnerabilities — particularly due to unsafe handling of URL hash fragments. This plugin parsed the fragment portion of the URL (i.e., after the #) and failed to sanitize input properly before dynamically injecting it into the DOM.

Uber’s engineering blog (eng.uber.com) was using this plugin, making it an open target for DOM-based attacks.