Security researcher Seif Elsallamy has discovered a vulnerability in the e-mail system at Uber that allows anyone send emails pretending to be from the company. Email messages are not classified as spam, as the address used by the sender is the legitimate. According to the expert, the failure is caused by exposure of one of Uber’s email endpoints.
In a demonstration of the flaw, Seif sent an email to the site’s team Bleeping Computer containing a form that asked for the Credit card number the user so that the account is not supposedly suspended. The email was received normally, without any spam charges from the provider and with the correct address.
Uber Email Security Flaw DemonstrationSource: Playback/Bleeping Computer
no response
The worst part is that the Uber was informed of the problem of email security, but wrongly considered that to exploit the flaw it would require use of social engineering, something that would be “out of scope” for Uber. On New Year’s Eve, Seif Elsallamy tried to send a report about the problem through his security platform Hackerone, but was unsuccessful.
Uber response to attempt to report the problemSource: Playback/Bleeping Computer
Some other users had already tried to inform Uber about the problem, without getting any response. One of them communicated the company in March 2021, but the report was closed by Uber’s triager with the content rating “informative”.
i reported this issue on @Hacker0x01 last year and triager closed it as informative xD pic.twitter.com/29yxgTV287
— ${jndi:ldap://mainteemoforfun} (@wld_basha) January 2, 2022
–
