Uber ignored a vulnerability that allowed Uber.com to arbitrarily send emails.


It turns out that a vulnerability in Uber’s email system allowed almost anyone to send email on behalf of Uber.

The researchers who discovered the flaw warned that the vulnerability could be exploited by an attacker to send emails to the 57 million Uber users and drivers whose information was compromised in the 2016 data breach.

Uber seems to be aware of this flaw, but has not fixed it so far.

Security researcher and bug bounty hunter Seif Elsallamy has discovered a glitch in Uber’s system that allows anyone to send emails on behalf of Uber.

These emails sent from Uber’s servers look legitimate to email providers (since they are technically legitimate) and can pass through any spam filter.

Imagine getting a message from Uber saying “Uber is arriving now” or “Thursday morning Uber ride” – even though you’ve never booked such a ride

The email form sent by the researchers urges Uber customers to provide their credit card information.

Once you click “Confirm”, the text field will be sent to the test site set up by the researcher.

On New Year’s Eve, 2021, researchers responsibly reported this vulnerability through Uber’s HackerOne bug bounty program.

However, his report was dismissed as “out of scope” due to the mistaken assumption that exploiting technical flaws requires some form of social engineering.

It seems that this is not the first time that Uber has denied this particular flaw.

Bug bounty hunters Soufiane el Habti and Shiva Maharaj claim to have previously reported the issue to Uber without success.

57 million Uber customers and drivers at risk

This isn’t a simple story of email spoofing used by threat actors to create phishing emails.

In fact, the email that the researchers sent in their “from Uber” test passed both DKIM and DMARC security checks, according to the email headers.

The researcher’s email was sent via SendGrid, an email marketing and customer communication platform used by leading companies.

Elsallamy, however, said that the flaw was caused by an exposed endpoint on Uber’s servers, which allows anyone to compose emails on behalf of Uber.

The vulnerability is “an HTML injection in one of Uber’s email endpoints,” Elsallamy said, comparing it to a similar flaw that pentester Youssef Sammouda found on Meta (Facebook)’s servers in 2019. .

Naturally, for security reasons, the researchers have not published the vulnerable Uber endpoints.

For this mishap, the UK’s Information Commissioner’s Office (ICO) had fined Uber £385,000 and the Dutch data protection authority (Autoriteit Persoonsgegevens) €600,000.

By exploiting this unpatched vulnerability, an attacker may be able to send targeted phishing scams to millions of Uber users who have been affected by breaches in the past.

The researcher advises the following.

We need to sanitize user input that is entered into a vulnerable, private form.

As the HTML is rendered, we might use a security encoding library to perform HTML entity encoding so that any HTML is rendered as text

Uber users, staff, drivers, and stakeholders should be aware of legitimate looking phishing emails sent by Uber, and there is still a possibility that attackers could exploit this flaw.