A significant security hole in Uber's email system reportedly lets anyone send emails from the company's official Uber.com domain. Headquartered in San Francisco, Calif., Uber is one of the largest cab aggregators with operations in dozens of countries worldwide. The company is said to have around 69-percent of the rideshare market in the U.S., while Lyft accounts for the rest.
Like most other tech companies, Uber also has a bug bounty program that pays out rewards for catching vulnerabilities in the company's software systems. The company paid more than $2.8 million in bug bounty over the years, including $16,000 over the last 90 days, but this particular vulnerability in the email system remains unpatched as of now. Uber has already endured several controversies over the years, and the last thing it wants is to create a new security issue by not taking the email bug seriously.
Multiple security researchers have reportedly discovered a serious bug in Uber's email system enabling unauthorized people to send emails from the Uber.com domain. Researchers claim that an exposed endpoint on the Uber servers is the reason behind the problem, although the company apparently can't be bothered to fix it. Describing the vulnerability to Bleeping Computer, security researcher and bug bounty hunter Seif Elsallamy said that the bug is "an HTML injection in one of Uber's email endpoints" and can pass both DKIM and DMARC security checks to reach people's email inboxes.
Uber Is Willingly Ignoring The Problem
Elsallamy also sends a proof-of-concept email to Bleeping Computer from the Uber.com domain by using SendGrid, an email marketing and customer communications platform, to show how easy it is to exploit the exposed endpoint. However, Elsallamy did not disclose the vulnerable Uber endpoint as it would have created a security issue for the company, its customers and driver-partners. As of Jan. 3, the vulnerability remains unpatched and could allow malicious actors to send phishing emails to Uber users whose email IDs were leaked in a 2016 data breach.
Remarkably, Uber doesn't seem interested in patching the vulnerability despite being alerted to the issue on multiple occasions by multiple researchers. In Elsallamy's case, despite reporting the problem to Uber as part of the HackerOne bug bounty program, his report was rejected for being "out-of-scope." The same bug had earlier been reported by at least two other security researchers, and they also apparently got similar replies from Uber.
In fact, the first time the issue was detected was as far back as in 2015/16 but was dismissed by Uber. The problem was reported again in March 2021, only to face rejection once again. Now that it is getting widespread media coverage, it will be interesting to see if Uber will finally get its act together and patch up this long-time security hole once and for all.
Source: Bleeping Computer