Uber’s email system is home to a critical security vulnerability. According to computer security researcher Seif Elsallamy, this vulnerability can be exploited to send emails to 57 million Uber users and drivers whose data was previously leaked in a major hack in 2016.
Uber’s email system is home to a critical security vulnerability. Computer security researcher Seif Elsallamy says an attacker could exploit it to send emails on behalf of the company to over 57 million users and drivers. As the expert clarified, the data of these millions of people, including email addresses and telephone numbers, were compromised during a hack into Uber’s GitHub servers in 2016.
At the time, we learned that all French Uber customers were affected, i.e. 1.4 million users. The CNIL had also ordered the company to pay € 400,000 for failing to protect the data of its customers. But back to this security flaw.
According to the researcher, these emails will be sent directly from Uber’s servers, and may appear legitimate in the eyes of an email service provider such as Gmail for example. At the same time, this is the problem: these emails are “technically speaking” legitimate and therefore naturally fall through the cracks of the anti-spam net. The author of the email, on the other hand, can be malicious.
Read also: Phishing – hackers target delivery men at Uber branch
Uber doesn’t give a damn about this serious security flaw
To illustrate the situation, Seif Elsallamy exploited the flaw in question to send an email on behalf of Uber to a journalist from the specialized site BleedingComputer. As our colleague specifies, the email landed directly in his inbox, and not in the unwanted. In the researcher’s email, the customer is invited to enter his bank details, Uber claiming an account suspension. This is an example of a perfect exploitation of this flaw, which allows a hacker to use the legitimacy of Uber to abuse the trust of his customers and launch massive phishing campaigns.
On New Years Eve 2021, the researcher reported his find to Uber through the company’s bug-hunting program. Only his report was rejected, the company ensuring that the exploitation of this flaw requires a form of social engineering. However, Seif Elsallamy is categorical: an access point exposed on Uber’s servers does indeed allow anyone to create an e-mail on behalf of the company. More precisely, it is “an HTML injection into one of Uber’s messaging terminals ”, he assures.
So who is wrong? Who is right ? Note that this is not the first time that this flaw has been reported to Uber. In the past, researchers Soufiane el Habti and Shiva Maharaj have warned Uber of the problem, but without causing any reaction from them. Fact, you should be careful when you receive an email from Uber, even if it is legitimate.