A vulnerability in Uber’s email system allows anyone to send emails on behalf of Uber. This vulnerability could be abused by malicious actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.
Uber is aware of the flaw but has not fixed it.
The flaw was discovered by security researcher and bug bounty hunter Seif Elsallamy in Uber’s systems that allows anyone to send emails on behalf of Uber.
These emails, sent from Uber’s servers, looks legitimate to an email provider as they are technically, and it can pass any spam filters and land right into the inbox.
The researcher responsibly reported the vulnerability to Uber on Dec 31st via their HackerOne bug bounty program.
However, his report was rejected for being “out-of-scope” on the erroneous assumption that exploitation of the technical flaw itself required some form of social engineering.
Bug bounty hunters Soufiane el Habti and Shiva Maharaj claim they had previously reported the issue to Uber without success.
Elsallamy stated that the vulnerability is “an HTML injection in one of Uber’s email endpoints,” and compares it to a similar flaw discovered in 2019 on Meta’s servers by pen-tester Youssef Sammouda.
For security reasons, the researcher did not disclose the vulnerable Uber endpoint.
In 2016 Uber suffered a data breach in which personal information of 57 million Uber customers and drivers were exposed.
The researcher states that by exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.
The researcher advises that the company must sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.
Uber users, staff, drivers, and associates must check for any phishing emails sent from Uber that appear to be legitimate as the possibility of exploitation of this flaw by threat actors still remains.