Uber Bug, Ignored for Years, Casts Doubt on Official Uber Emails

A security vulnerability that would make it possible for malicious attackers to deliver email from Uber’s network seems to be shut – but users could have been swindled now. The easy-to-come across bug has been hanging about for many years, completely ready to choose Uber’s consumers for a experience of a quite unique type.

In accordance to Seekurity security researcher and bug-hunter Seif Elsallamy, the HTML-injection issue created it attainable to faucet into an internet-experiencing inside Uber API endpoint in purchase to deliver out email directly from Uber’s email system (the firm employs the SendGrid platform) considering that the emails would be coming from an genuine sender, they wouldn’t result in normal email security filters like DMARC or DKIM.

Obviously, the bug opened a gaping opportunity for cyberattackers to mail out social-engineering e-mail to the experience-sharing giant’s virtually 100 million users – perhaps a information asking them to “verify” their account info or “update” their credit-card data.

Elsallamy forwarded a proof-of-concept example of a attainable attack email to BleepingComputer:

The danger seems specially pertinent specified that Uber endured a details breach in 2016 that included the email addresses of 57 million of its customers, the researcher pointed out:

heck this days with triage groups, they you should not comprehend their very own procedures @Uber @Uber_Assist @Hacker0x01 pic.twitter.com/kCQqwR3M3b

— Secure 😵 (@0x21Safe) December 31, 2021

He also submitted a bug report through HackerOne to Uber, but the issue was turned down due to the fact the triage group mistakenly considered exploitation involved the social engineering of Uber employees:

Hi @Uber @Uber_Assistance deliver your calc and inform me what would be the result if this vulnerability has been utilised with the 57 million email tackle that has been leaked from the previous data breach?If you know the consequence then explain to your workers in the bug bounty triage team. pic.twitter.com/f9yKIoCJ6O

— Risk-free 😵 (@0x21Secure) December 31, 2021

 

Making issues worse, he wasn’t the very first to report it and be rebuffed at least two other researchers filed the identical issue, with the very same consequence – one as lengthy in the past as 2015. That is a ton of time for feasible exploitation to have transpired.

“I never have evidence that this bug has been exploited in the wild, but considering that the report has been duplicated, that usually means at least just one researcher has described it in advance of me,” Elsallamy explained to Threatpost. “So, it seems to be like that it is an easy-to-place issue [and] I hope that it has not been exploited in the wild. The exploitation was not difficult, it only requires essential HTML and CSS know-how.”

i claimed this issue on @Hacker0x01 very last year and triager shut it as instructive xD pic.twitter.com/29yxgTV287

— $jndi:ldap://mainteemoforfun (@wld_basha) January 2, 2022

“The scientists and Uber’s staff members are just carrying out their position, and I recognize that Uber receives a whole lot of false reviews,” Elsallamy told Threatpost. “But they have at minimum to devote 5 minutes in the report that had taken me times to put together. Uber’s clients are who will spend for our faults in the stop.”

He observed that a correct would be easy: “The issue is not complicated to repair, I believe it will be only one particular or two lines of code,” he stated. “They must sanitize the users’ input by means of security encoding library, so any HTML appears as a regular text.”

Since the story was reported earlier this week, it seems that Uber has mounted the vulnerability – “because I am not able to reproduce the issue any more,” Elsallamy said. Even so, due to the fact it’s mysterious whether or not the vulnerability has been exploited in the decades that it existed, clients who gave up private info in response to an official Uber email must acquire motion to transform their passwords immediately.

Additionally, “I recommend Uber buyers to use exceptional passwords, use credit score cards with a constrained sum of cash accessible on-line if they really do not want to maintain cash, and to use two-factor authentication any time attainable to restrict the injury if any of their details has been compromised,” he explained.

Uber did not instantly return a request to comment on this story.

Password Reset: On-Need Party: Fortify 2022 with a password-security strategy created for today’s threats. This Threatpost Security Roundtable, crafted for infosec experts, facilities on organization credential administration, the new password fundamental principles and mitigating article-credential breaches. Join Darren James, with Specops Program and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this Absolutely free session today – sponsored by Specops Computer software.