A security researcher found a flaw in Uberโs servers, which can let anyone use the companyโs official email account to send emails!
This flaw is said to be in Uberโs endpoint systems, which was reported but denied by Uber. Yet, the security researcher who found this balmed Uberโs ignorance and warns users of potential scams, exploiting this flaw.
Uber Ignoring Flaw in its Systems
Several tech companies hire pentesters or participate in bug bounty programs to surface any unknown bugs in their systems, so they can be patched before a black hat hacker may exploit them. But, ignoring them even after pointing at reasonable bugs isnโt appreciated.
And Uber turns out as a bad example here, as itโs ignoring a crucial flaw reported responsibly by a security researcher, named Seif Elsallamy. On new yearโs eve, Elsallamy reported a critical flaw in Uberโs servers through its HackerOne bug bounty program but was ignored senselessly.
As per his findings, Uberโs endpoint servers are having an undisclosed flaw, that can allow anyone to send emails to anyone, using Uberโs official email account! The researcher demonstrated this to BleepingComputer by sending a sample phishing email, with Uberโs official business email.
He warned that this flaw can be used by threat actors to send phishing emails to Uber customers, which can be really sick if using the database of 2016โs leaked dump, of over 57 million people! Uber rejected the researcherโs claims of this bug, as they tagged it being โout-of-scopeโ and this technical flaw needs social engineering at basic.
Hi @Uber @Uber_Support bring your calc and tell me what would be the result if this vulnerability has been used with the 57 million email address that has been leaked from the last data breach?
If you know the result then tell your employees in the bug bounty triage team. pic.twitter.com/f9yKIoCJ6O— SAFE ???? (@0x21SAFE) December 31, 2021
While he didnโt disclose the specific details of the bug, since itโs unpatched, he said what Uber can do to secure it. As per him, โThey (Uber) need to sanitize the usersโ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.โ
Until Uber acknowledges it and releases a patch, Uber customers are advised to be cautious about potential scam emails, asking for money or senstive details.