Uber lets you send anyone an email claiming to be from Uber.com

A woman using a laptop to send email replies.
(Image credit: Shutterstock)

A software bug means that pretty much anyone can currently send an email from the Uber.com domain. No, Uber has not intentionally done so. It is, however, choosing to ignore the problem at the moment.

These are the conclusions of multiple security researchers, which blame an exposed endpoint on Uber's servers allowing anyone to use SendGrid, an email marketing and customer communications platform, to send emails on behalf of the taxi ride giant.

The vulnerability is "an HTML injection in one of Uber's email endpoints," security researcher and bug bounty hunter, Seif Elsallamy, told BleepingComputer. These emails can pass both DKIM and DMARC security checks and land safely in people’s inboxes, the report adds. 

Sending out fake warnings

In a demonstration email, Elsallamy crafted a message warning the user that their account is about to be suspended and that they need to re-submit their payment data. Such emails, which could easily be leveraged to obtain sensitive and payment data from millions of paying Uber customers, would be sent from a legitimate Uber domain. This is just an example of the potency of the flaw. Distributing malware, ransomware, or simple spam, are all realistic possibilities.

To fix the issue, Uber needs to “sanitize the users’ input in the vulnerable undisclosed form”, he explains. 

“Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.”

Uber is staying silent at the moment and, it would seem, with no intention of remedying the problem. Elsallamy notes that Uber is under the impression that for the flaw to be used, there needs to be “some form” of social engineering, and has dismissed it as such.

Whether or not this flaw reprises the 2016 data breach, that exposed sensitive data on 57 million customers and drivers, remains to be seen. Six years ago, the ICO fined the company $520,000 for the breach, with the Netherlands’ data watchdog adding another $680,000.

TechRadar Pro has approached Uber for comment

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.