A significant security Flaw in Uber‘s email system that anyone can currently send an email from the Uber.com domain. No, Uber has not intentionally done so. It is, however, choosing to ignore the problem at the moment.
These emails, which cannot be sent from Uber’s servers, seem legitimate to any email provider (because they technically are) and would pass any spam filter. These emails can also pass DKIM and DMARC security checks and land safely in people’s inboxes, the report adds.
Multiple security researchers have reportedly discovered a serious bug in Uber’s email system enabling unauthorized people to send emails from the Uber.com domain. Researchers claim that an exposed endpoint on the Uber servers is the reason behind the problem, although the company apparently can’t be bothered to fix it.
Uber seems to be aware of the glitch, but it hasn’t fixed it and staying silent at the moment and, it would seem, with no intention of remedying the problem.
Whether or not this flaw reprises the 2016 data breach, that exposed sensitive data on 57 million customers and drivers, remains to be seen. Six years ago, the ICO fined the company $520,000 for the breach, with the Netherlands’ data watchdog adding another $680,000.
The vulnerability remains unpatched and could allow malicious actors to send phishing emails to Uber users whose email IDs were leaked in a 2016 data breach.
Remarkably, Uber doesn’t seem interested in patching the vulnerability despite being alerted to the issue on multiple occasions by multiple researchers. In Elsallamy’s case, despite reporting the problem to Uber as part of the HackerOne bug bounty program, his report was rejected for being “out-of-scope.” The same bug had earlier been reported by at least two other security researchers, and they also apparently got similar replies from Uber.