Connect with us

Hi, what are you looking for?

Technology

Uber ignores vulnerability that lets you send any email from Uber.com

uber


uber

A vulnerability in Uber’s email system allows just about anyone to send emails on behalf of Uber.

The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.

Uber seems to be aware of the flaw but has not fixed it for now.

‘Your Uber is arriving now’

Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber’s systems that enables anyone to send emails on behalf of Uber.

These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters.

Imagine getting a message from Uber stating, ‘Your Uber is arriving now,’ or ‘Your Thursday morning trip with Uber’—when you never made those trips.

In a demonstration, Elsallamy sent me the following email message that, without a doubt, appeared to have come from Uber and landed right in my inbox, not junk:

Advertisement. Scroll to continue reading.
PoC email sent from Uber's servers
PoC email sent to BleepingComputer from Uber’s servers

The email form sent to BleepingComputer by the researcher urges the Uber customer to provide their credit card information.

Note, however, the message did have a clear disclaimer towards the bottom stating, “this is a security vulnerability Proof of Concept,” and was sent to BleepingComputer with prior permission.

PoC disclaimer
PoC disclaimer in the email sent to BleepingComputer from Uber

On New Year’s Eve of 2021, the researcher responsibly reported the vulnerability to Uber via their HackerOne bug bounty program.

However, his report was rejected for being “out-of-scope” on the erroneous assumption that exploitation of the technical flaw itself required some form of social engineering:

Uber rejects researcher's report
Uber rejects researcher’s report concluding that it requires social engineering (Twitter)

It seems this isn’t the first time this particular flaw has been dismissed by Uber either.

Bug bounty hunters Soufiane el Habti and Shiva Maharaj claim they had reported the issue to Uber earlier without success [1, 2, 3].

57 million Uber customers and drivers at risk

Contrary to what one may believe, this isn’t a simple case of email spoofing used by threat actors to craft phishing emails.

In fact, the email sent by the researcher “from Uber” to BleepingComputer passed both DKIM and DMARC security checks, according to email headers seen by us.

Email sent from Uber passes DKIM and SPF security checks
Email sent “from Uber” passes DKIM and DMARC security checks (BleepingComputer)

The researcher’s email was sent via SendGrid, an email marketing and customer communications platform used by leading companies.

But, Elsallamy tells BleepingComputer that it is an exposed endpoint on Uber’s servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.

The vulnerability is “an HTML injection in one of Uber’s email endpoints,” says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta’s (Facebook’s) servers by pen-tester Youssef Sammouda.

In Meta’s case, the endpoint looked identical to:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousEmbed/XXXXXXXXXXXXX

Advertisement. Scroll to continue reading.

Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint.

He questioned Uber, “Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email [addresses that leaked] from the last data breach?”

“If you know the result then tell your employees in the bug bounty triage team.”

Elsallamy is referring to Uber’s 2016 data breach that exposed the personal information of 57 million Uber customers and drivers.

For this mishap, UK’s Information Commissioner’s Office (ICO) had fined Uber £385,000, along with the data protection authority in the Netherlands (Autoriteit Persoonsgegevens) fining the company €600.000.

By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.

When asked what could Uber do to remediate the flaw, the researcher advises:

“They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text,” Elsallamy told BleepingComputer.

BleepingComputer reached out to Uber well in advance of publishing but has not heard back at this time.

Advertisement. Scroll to continue reading.

Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.

Update 11:55 AM: Added reference to the same flaw having been apparently reported in 2015/16 and March 2021 but dismissed.





Source link

Click to comment

Leave a Reply

Latest

Loan And Finance

Electric vehicles are becoming increasingly popular as gas prices skyrocket. In fact, automakers plan to pivot to largely electric lineups in the coming decade,...

Top Stories

The past week in the decentralized finance (DeFi) ecosystem was dominated by Terra’s collapse and its aftermath on various ecosystems it was connected. Now...

Technology

Why it matters: Opportunities to increase RAM performance typically come from the extreme memory profile (XMP) set by the manufacturer or enthusiasts with enough...

Top Stories

What is a DAO? A DAO, or decentralized autonomous organization, is an online-based organization that exists and operates with no single leader or governing...

Technology

Source: Nintendo Sequels are usually perceived in one of two ways. Either they greatly improve on those who came before them, making their predecessors...

Top Stories

The dramatic story of the Terra (LUNA) crash — referred to by some as the Lehman Brothers of crypto — has taken yet another remarkable...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement