A security researcher found a flaw in Uberโ€™s servers, which can let anyone use the companyโ€™s official email account to send emails!

This flaw is said to be in Uberโ€™s endpoint systems, which was reported but denied by Uber. Yet, the security researcher who found this balmed Uberโ€™s ignorance and warns users of potential scams, exploiting this flaw.

Uber Ignoring Flaw in its Systems

Flaw in Uber Servers Let Anyone Use Uber's Official Email IDSeveral tech companies hire pentesters or participate in bug bounty programs to surface any unknown bugs in their systems, so they can be patched before a black hat hacker may exploit them. But, ignoring them even after pointing at reasonable bugs isnโ€™t appreciated.

And Uber turns out as a bad example here, as itโ€™s ignoring a crucial flaw reported responsibly by a security researcher, named Seif Elsallamy. On new yearโ€™s eve, Elsallamy reported a critical flaw in Uberโ€™s servers through its HackerOne bug bounty program but was ignored senselessly.

As per his findings, Uberโ€™s endpoint servers are having an undisclosed flaw, that can allow anyone to send emails to anyone, using Uberโ€™s official email account! The researcher demonstrated this to BleepingComputer by sending a sample phishing email, with Uberโ€™s official business email.

He warned that this flaw can be used by threat actors to send phishing emails to Uber customers, which can be really sick if using the database of 2016โ€™s leaked dump, of over 57 million people! Uber rejected the researcherโ€™s claims of this bug, as they tagged it being โ€œout-of-scopeโ€ and this technical flaw needs social engineering at basic.

While he didnโ€™t disclose the specific details of the bug, since itโ€™s unpatched, he said what Uber can do to secure it. As per him, โ€œThey (Uber) need to sanitize the usersโ€™ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.โ€

Until Uber acknowledges it and releases a patch, Uber customers are advised to be cautious about potential scam emails, asking for money or senstive details.

LEAVE A REPLY

Please enter your comment!
Please enter your name here