Uber has security hole that allows legitimate email scam

Security researcher Seif Elsallamy has discovered a vulnerability in the e-mail system at Uber that allows anyone send emails pretending to be from the company. Email messages are not classified as spam, as the address used by the sender is the legitimate. According to the expert, the failure is caused by exposure of one of Uber’s email endpoints.

In a demonstration of the flaw, Seif sent an email to the site’s team Bleeping Computer containing a form that asked for the Credit card number the user so that the account is not supposedly suspended. The email was received normally, without any spam charges from the provider and with the correct address.

Uber Email Security Flaw DemonstrationSource: Playback/Bleeping Computer

no response

The worst part is that the Uber was informed of the problem of email security, but wrongly considered that to exploit the flaw it would require use of social engineering, something that would be “out of scope” for Uber. On New Year’s Eve, Seif Elsallamy tried to send a report about the problem through his security platform Hackerone, but was unsuccessful.

Uber response to attempt to report the problemUber response to attempt to report the problemSource: Playback/Bleeping Computer

Some other users had already tried to inform Uber about the problem, without getting any response. One of them communicated the company in March 2021, but the report was closed by Uber’s triager with the content rating “informative”.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss any important news. Subscribe to our newsletter.