A flaw in Uber’s email system allows anybody to send emails on behalf of the company. The researcher identified that threat actor might exploit this weakness to email 57 million Uber passengers and drivers whose information was compromised in the 2016 data breach. It seems Uber is aware of the vulnerability but has yet to address it.
Seif Elsallamy, a security researcher and bug bounty hunter, uncovered a vulnerability in Uber’s systems that allows anybody to send emails on behalf of the company. These emails, sent from Uber’s servers, would seem legitimate to an email provider and get past spam filters.
Imagine getting a message from Uber saying things like, ‘Your Uber is arriving now,’ or ‘Your Thursday morning trip with Uber,’ even if you never had such journeys. In a demonstration, Elsallamy sent the following email message, which looked to have come from Uber and was delivered right to the inbox.
The researcher’s email form requests that the Uber user provide their credit card details. When you click ‘Confirm,’ the form sends the text fields to the researcher’s test site.
The researcher properly disclosed the issue to Uber via their HackerOne bug bounty program on New Year’s Eve 2021. His report, however, was rejected because it was “out-of-scope,” based on the erroneous assumption that exploiting the technological weakness needs some social engineering.
It also appears that this isn’t the first time Uber has disregarded this problem. Soufiane el Habti and Shiva Maharaj, bug bounty hunters, allege they have previously escalated the matter to Uber without success[1, 2, 3].
Contrary to popular assumption, this isn’t a typical example of threat actors using email spoofing to produce phishing emails. The researcher’s email sent “from Uber” passed DKIM and DMARC security tests. SendGrid, a renowned email marketing and customer communications platform, sent the researcher’s email.
However, Elsallamy claims that the issue is caused by an exposed endpoint on Uber’s servers, which allows anybody to send an email on Uber’s behalf. The flaw is “an HTML injection in one of Uber’s email endpoints,” according to Elsallamy, who compares it to a similar vulnerability identified by pen-tester Youssef Sammouda on Meta’s (Facebook’s) servers in 2019. The endpoint in Meta’s example was identical to:
The researcher, however, did not reveal the vulnerable Uber endpoint for security concerns.
Adversaries might conduct targeted phishing attacks on millions of Uber users who were previously impacted by the hack by leveraging this unpatched vulnerability. Uber users, employees, drivers, and associates should be on the lookout for any phishing emails purporting to be from Uber, since threat actors may exploit this weakness.