Uber dismisses vulnerability that lets you email anyone as Uber!

uber

A vulnerability in Uber’s email system allows just about anyone to send emails on behalf of Uber.

The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.

Uber seems to be aware of the flaw but has not fixed it for now.

‘Your Uber is arriving now’

Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber’s systems that enables anyone to send emails on behalf of Uber.

These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters.

Imagine getting a message from Uber stating, ‘Your Uber is arriving now,’ or ‘Your Thursday morning trip with Uber’—when you never made those trips.

In a demonstration, Elsallamy sent me the following email message that, without a doubt, appeared to have come from Uber and landed right in my inbox, not junk:

PoC email sent from Uber's servers
PoC email sent to BleepingComputer from Uber’s servers

The email form sent to BleepingComputer by the researcher urges the Uber customer to provide their credit card information.

Note, however, the message did have a clear disclaimer towards the bottom stating, “this is a security vulnerability Proof of Concept,” and was sent to BleepingComputer with prior permission.

PoC disclaimer
PoC disclaimer in the email sent to BleepingComputer from Uber

On New Year’s Eve of 2021, the researcher responsibly reported the vulnerability to Uber via their HackerOne bug bounty program.

However, his report was rejected for being “out-of-scope” on the erroneous assumption that exploitation of the technical flaw itself required some form of social engineering:

Uber rejects researcher's report
Uber rejects researcher’s report concluding that it requires social engineering (Twitter) 

57 million Uber customers and drivers at risk

Contrary to what one may believe, this isn’t a simple case of email spoofing used by threat actors to craft phishing emails.

In fact, the email sent by the researcher “from Uber” to BleepingComputer passed both DKIM and DMARC security checks, according to email headers seen by us.

Email sent from Uber passes DKIM and SPF security checks
Email sent “from Uber” passes DKIM and DMARC security checks (BleepingComputer)

The researcher’s email was sent via SendGrid, an email marketing and customer communications platform used by leading companies.

But, Elsallamy tells BleepingComputer that it is an exposed endpoint on Uber’s servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.

The vulnerability is “an HTML injection in one of Uber’s email endpoints,” says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta’s (Facebook’s) servers by pen-tester Youssef Sammouda.

In Meta’s case, the endpoint looked identical to:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousEmbed/XXXXXXXXXXXXX 

Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint.

He questioned Uber, “Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email [addresses that leaked] from the last data breach?”

“If you know the result then tell your employees in the bug bounty triage team.”

Elsallamy is referring to Uber’s 2016 data breach that exposed the personal information of 57 million Uber customers and drivers.

For this mishap, UK’s Information Commissioner’s Office (ICO) had fined Uber £385,000, along with the data protection authority in the Netherlands (Autoriteit Persoonsgegevens) fining the company €600.000.

By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.

When asked what could Uber do to remediate the flaw, the researcher advises:

“They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text,” Elsallamy told BleepingComputer.

BleepingComputer reached out to Uber well in advance of publishing but has not heard back at this time.

Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.