Uber started 2022 with a flaw in its email system that allows unauthorized parties to send messages on its behalf.
Bug bounty hunters have reported the flaw, but the company has dismissed their submissions. Security specialists warn Uber customers and drivers to be cautious when reading emails from Uber.
Bleeping Computer spoke to the bug bounty hunter, Seif Elsallamy, who most recently reported the flaw. Elsallamy demonstrated how it works by sending the tech news and support platform a spoofed email.
However, this was different from most phishing attacks. Bleeping Computers received the email directly, not even marked as spam. Besides appearing legitimate, it passed both DKIM and DMARC security checks.
This means threat actors could use this vulnerability to trick the safeguards mail providers have in place to fight scams and low-quality content. If left unchecked, this could begin affecting the deliverability of Uber’s legitimate mail and even have a knock-on effect.
Mailing services work hard to ensure high deliverability; if a threat actor infiltrates a service, it could impact all users.
Silence from Uber
According to Bleeping Computer, bug bounty hunters have reported the issue before. However, Uber dismissed it on the belief that the flaw would have to be used in conjunction with social engineering.
As Elsallamy’s demonstration showed, this isn’t the case. But even if it were, leaving the vulnerability would still present a major threat.
Over half the world uses email every day, and even the sloppiest scams catch people unawares.
An email using a service’s legitimate identifiers is all the more dangerous. Especially considering the prevalence of Uber in the developing world, where tech literacy is still sorely lacking.
European authorities have already fined Uber nearly €1,000,000 over a data breach that compromised millions of email addresses.
This data could help scammers with the current vulnerability.
It remains to be seen if Uber will stand by or take action.