{"id":4108,"date":"2022-01-03T21:41:14","date_gmt":"2022-01-03T16:11:14","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=4108"},"modified":"2022-01-03T21:41:21","modified_gmt":"2022-01-03T16:11:21","slug":"uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/","title":{"rendered":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com"},"content":{"rendered":"\n
A vulnerability in Uber\u2019s email system permits just about anyone to send emails on behalf of Uber. The investigators who found this bug alerted this vulnerability can be harmed by attackers to email around 57 million Uber users and drivers whose information was leaked in the 2016 data hijack. Uber seems to know about the flaw but has not fixed it for now.<\/p><\/p>\n\n\n\n
\u2018Your Ride is About to Come\u2019<\/strong><\/h2>\n\n\n\n
Our security researchers discovered a flaw in Uber\u2019s systems that permits anyone to send emails on behalf of Uber. These emails, sent from Uber\u2019s servers, would come appropriate to an email provider (because technically they are) and make it past any spam filters.<\/p><\/p>\n\n\n\n
Wonder getting a message from Uber stating, \u2018Your Uber is arriving now,\u2019 or \u2018Your Thursday morning trip with Uber\u2019\u2014 when you even never made those trips. The email form sent to Xiarch by the researcher urges the Uber customer to facilitate their credit card data. On clicking \u2018Confirm,\u2019 the form submits the text fields to a test site set up by the investigators.<\/p><\/p>\n\n\n\n
Note:<\/strong> However the message did have a clear disclaimer towards the bottom stating, \u201cthis is a security vulnerability Proof of Concept,\u2019 and was sent to our experts with the prior permissions.<\/p><\/p>\n\n\n\n
On New Year\u2019s Eve of 2021, the investigators responsibly reported the vulnerability to Uber through their security bug bounty program. However, the report was rejected for being \u201cout-of-scope\u201d on the invalid assumption that exploitation of the technical bug itself needed some form of social engineering:<\/p><\/p>\n\n\n\n<\/figure>\n\n\n\n
It seems this is not the first time that Uber has discharged this particular flaw either.<\/p><\/p>\n\n\n\n
Around 57 Million Uber Customers and Drivers are at Risk<\/strong><\/p><\/h2>\n\n\n\n
Adverse to what one may believe, this isn’t a simple case of email spoofing used by threat actors to craft phishing emails. The email sent by the researcher “from Uber” to Xiarch passed both DKIM and DMARC security checks, according to email headers seen by us.<\/p><\/p>\n\n\n\n
The researcher’s email was sent via SendGrid, an email marketing and customer communications platform used by leading companies. But, Elsallamy tells Xiarch that it is an exposed endpoint on Uber’s servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.<\/p><\/p>\n\n\n\n
The vulnerability is “an HTML injection in one of Uber’s email endpoints,” says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta’s (Facebook’s) servers by pen-tester Youssef Sammouda. Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint. He questioned Uber, “Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email [addresses that leaked] from the last data breach?”<\/p><\/p>\n\n\n\n
Elsallamy is referring to Uber’s 2016 data breach that exposed the personal information of 57 million Uber customers and drivers. For this mishap, UK’s Information Commissioner’s Office (ICO) had fined Uber \u00a3385,000, along with the data protection authority in the Netherlands (Autoriteit Persoonsgegevens) fining the company \u20ac600.000. By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.<\/p><\/p>\n\n\n\n
When asked what could Uber do to remediate the flaw, the researcher advises:<\/p><\/p>\n\n\n\n
“They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text,” Elsallamy told Xiarch.<\/p><\/p>\n\n\n\n
Our experts reached out to Uber well in advance of publishing but have not heard back at this time. Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
A vulnerability in Uber\u2019s email system permits just about anyone to send emails on behalf of Uber. The investigators who found this bug alerted this vulnerability can be harmed by attackers to email around 57 million Uber users and drivers whose information was leaked in the 2016 data hijack. Uber seems to know about the […]<\/p>\n","protected":false},"author":2,"featured_media":4110,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A vulnerability in Uber\u2019s email system permits just about anyone to send emails on behalf of Uber. The investigators who found this bug alerted this vulnerability can be harmed by attackers to email around 57 million Uber users and drivers whose information was leaked in the 2016 data hijack. Uber seems to know about the […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-03T16:11:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-03T16:11:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Uber-Avoid-the-Vulnerability-that-Permits-you-to-Send-Any-Email-from-Uber.com-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com\",\"datePublished\":\"2022-01-03T16:11:14+00:00\",\"dateModified\":\"2022-01-03T16:11:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\"},\"wordCount\":627,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\",\"url\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\",\"name\":\"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2022-01-03T16:11:14+00:00\",\"dateModified\":\"2022-01-03T16:11:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/","og_locale":"en_US","og_type":"article","og_title":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited","og_description":"A vulnerability in Uber\u2019s email system permits just about anyone to send emails on behalf of Uber. The investigators who found this bug alerted this vulnerability can be harmed by attackers to email around 57 million Uber users and drivers whose information was leaked in the 2016 data hijack. Uber seems to know about the […]","og_url":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2022-01-03T16:11:14+00:00","article_modified_time":"2022-01-03T16:11:21+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Uber-Avoid-the-Vulnerability-that-Permits-you-to-Send-Any-Email-from-Uber.com-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com","datePublished":"2022-01-03T16:11:14+00:00","dateModified":"2022-01-03T16:11:21+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/"},"wordCount":627,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/","url":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/","name":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2022-01-03T16:11:14+00:00","dateModified":"2022-01-03T16:11:21+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/uber-avoid-the-vulnerability-that-permits-you-to-send-any-email-from-uber-com\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Uber Avoid the Vulnerability that Permits you to Send Any Email from Uber.com"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4108"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=4108"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4108\/revisions"}],"predecessor-version":[{"id":4113,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4108\/revisions\/4113"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/4110"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=4108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=4108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=4108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Uber-Avoid-the-Vulnerability-that-Permits-you-to-Send-Any-Email-from-Uber.com-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Uber-Avoid-the-Vulnerability-that-Permits-you-to-Send-Any-Email-from-Uber.com-image3-1-1024x417.jpg\")
<\/figure>\n\n\n\n