A security researcher found a flaw in Uber’s servers, which can let anyone use the company’s official email account to send emails!
This flaw is said to be in Uber’s endpoint systems, which was reported but denied by Uber. Yet, the security researcher who found this balmed Uber’s ignorance and warns users of potential scams, exploiting this flaw.
Uber Ignoring Flaw in its Systems
Several tech companies hire pentesters or participate in bug bounty programs to surface any unknown bugs in their systems, so they can be patched before a black hat hacker may exploit them. But, ignoring them even after pointing at reasonable bugs isn’t appreciated.
And Uber turns out as a bad example here, as it’s ignoring a crucial flaw reported responsibly by a security researcher, named Seif Elsallamy. On new year’s eve, Elsallamy reported a critical flaw in Uber’s servers through its HackerOne bug bounty program but was ignored senselessly.
As per his findings, Uber’s endpoint servers are having an undisclosed flaw, that can allow anyone to send emails to anyone, using Uber’s official email account! The researcher demonstrated this to BleepingComputer by sending a sample phishing email, with Uber’s official business email.
He warned that this flaw can be used by threat actors to send phishing emails to Uber customers, which can be really sick if using the database of 2016’s leaked dump, of over 57 million people! Uber rejected the researcher’s claims of this bug, as they tagged it being “out-of-scope” and this technical flaw needs social engineering at basic.
Hi @Uber @Uber_Support bring your calc and tell me what would be the result if this vulnerability has been used with the 57 million email address that has been leaked from the last data breach?
If you know the result then tell your employees in the bug bounty triage team. pic.twitter.com/f9yKIoCJ6O
— SAFE 😵 (@0x21SAFE) December 31, 2021
While he didn’t disclose the specific details of the bug, since it’s unpatched, he said what Uber can do to secure it. As per him, “They (Uber) need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.”
Until Uber acknowledges it and releases a patch, Uber customers are advised to be cautious about potential scam emails, asking for money or senstive details.