A vulnerability in Uber’s email system permits just about anyone to send emails on behalf of Uber. The investigators who found this bug alerted this vulnerability can be harmed by attackers to email around 57 million Uber users and drivers whose information was leaked in the 2016 data hijack. Uber seems to know about the flaw but has not fixed it for now.

‘Your Ride is About to Come’

Our security researchers discovered a flaw in Uber’s systems that permits anyone to send emails on behalf of Uber. These emails, sent from Uber’s servers, would come appropriate to an email provider (because technically they are) and make it past any spam filters.

Wonder getting a message from Uber stating, ‘Your Uber is arriving now,’ or ‘Your Thursday morning trip with Uber’— when you even never made those trips. The email form sent to Xiarch by the researcher urges the Uber customer to facilitate their credit card data. On clicking ‘Confirm,’ the form submits the text fields to a test site set up by the investigators.

Note: However the message did have a clear disclaimer towards the bottom stating, “this is a security vulnerability Proof of Concept,’ and was sent to our experts with the prior permissions.

On New Year’s Eve of 2021, the investigators responsibly reported the vulnerability to Uber through their security bug bounty program. However, the report was rejected for being “out-of-scope” on the invalid assumption that exploitation of the technical bug itself needed some form of social engineering:

It seems this is not the first time that Uber has discharged this particular flaw either.

Around 57 Million Uber Customers and Drivers are at Risk

Adverse to what one may believe, this isn’t a simple case of email spoofing used by threat actors to craft phishing emails. The email sent by the researcher “from Uber” to Xiarch passed both DKIM and DMARC security checks, according to email headers seen by us.

The researcher’s email was sent via SendGrid, an email marketing and customer communications platform used by leading companies. But, Elsallamy tells Xiarch that it is an exposed endpoint on Uber’s servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.

The vulnerability is “an HTML injection in one of Uber’s email endpoints,” says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta’s (Facebook’s) servers by pen-tester Youssef Sammouda. Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint. He questioned Uber, “Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email [addresses that leaked] from the last data breach?”

Elsallamy is referring to Uber’s 2016 data breach that exposed the personal information of 57 million Uber customers and drivers. For this mishap, UK’s Information Commissioner’s Office (ICO) had fined Uber £385,000, along with the data protection authority in the Netherlands (Autoriteit Persoonsgegevens) fining the company €600.000. By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.

When asked what could Uber do to remediate the flaw, the researcher advises:

“They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text,” Elsallamy told Xiarch.

Our experts reached out to Uber well in advance of publishing but have not heard back at this time. Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.