A simple-to-exploit bug that allows bad actors to send emails from Uber’s official system — skating past email security — went unaddressed despite multiple flagging by researchers.
A security vulnerability that would allow malicious attackers to send email from Uber’s network appears to be closed – but users could have been swindled already. The easy-to-find bug has been hanging around for years, ready to take Uber’s customers for a ride of a very different sort.
According to Seekurity security researcher and bug-hunter Seif Elsallamy, the HTML-injection issue made it possible to tap into an internet-facing internal Uber API endpoint in order to send out email directly from Uber’s email system (the company uses the SendGrid platform); since the emails would be coming from an authentic sender, they wouldn’t trigger normal email security filters like DMARC or DKIM.
Obviously, the bug opened a gaping opportunity for cyberattackers to send out social-engineering emails to the ride-sharing giant’s nearly 100 million users – perhaps a message asking them to “verify” their account info or “update” their credit-card information.
Elsallamy forwarded a proof-of-concept example of a possible attack email to BleepingComputer: