Connect with us

Hi, what are you looking for?


Uber | Failure allows sending emails to users on behalf of company

A serious breach in Uber's servers could allow attackers to send emails to users on behalf of the company. The breach was spotted last week by a security researcher and primarily puts at risk the 57 million people who had their data leaked as part of an exhibition that took place in 2017, with a publicly available database containing both passengers and drivers .

  • Phishing, fake apps and leaks: what will be the main dangers in 2022?
  • Leave passwords saved in browser? So beware of this malware

The idea is even simple for an attacker, who already has confirmation that this volume belongs to users of the company's services. As such, they would be more susceptible to receiving a fraudulent message on behalf of Uber, which could be used for data theft and malware installation, as well as other types of scams involving racing, food and product deliveries, and corporate accounts .

The proof of concept for the exploit was presented to the Bleeping Computer website by researcher Seif Elsallamy. He sent the report an e-mail that appears to originate from the company's servers and domains, informing of a blockage in a corporate account and requesting credit card data for reactivation. If filled in, the fields would have the information sent back to a platform under his control, outside the transport service's systems.

Podcast Porta 101 : the A Market Analysis team discusses relevant, curious, and often controversial issues related to the world of technology, internet and innovation every two weeks. Be sure to follow along.

It helps to exploit the fact that the message has gone through the usual security checks and, as it comes from a legitimate server, ends up being understood as such by antispam systems, even if its content is dangerous. Also, the communication came out of an email marketing system recognized and used by large companies to send mass messages to their customer base.

To prove the breach, the researcher sent an email that would capture bank details from Uber's server; company waived vulnerability report and did not comment on the matter (Image: Playback/Bleeping Computer)

According to Elsallamy, the problem lies with an endpoint on one of the company's servers, which would be susceptible to an attack involving the injection of code into HTML. He claims that a similar loophole in Facebook was spotted in 2019 by security researcher Youssef Sammouda and fixed through the company's bug bounty program.

This was not the case for Uber, however, with the company denying the validity of the breach by claiming that it would only apply after a social engineering attack against a company employee. This was not the case, confirmed by the researcher, and the report also points to three other cases in which a similar vulnerability was reported and not corrected by the company.

Attention to the details

The flaw remains active and, while there are no signs of malicious exploitation, the details have been kept confidential precisely to prevent this. Only the disclosure that such a breach exists, however, should prompt criminals to seek the opening, which can still be used by criminals while the company does not take a stand on the problem.

Users are advised to be cautious about all types of emails that arrive on behalf of services or platforms. It is worth paying attention to the language, terms and even the type of data requested, avoiding clicking on links or filling in information without being absolutely sure what you are doing; when in doubt, it is better to ignore the contact or, instead, seek the official means of support.

A Market Analysis contacted Uber about the matter, but the company had not returned until the publication of this report.

Read the article on A Market Analysis .

Trending at A Market Analysis:

  • Fiat retires four cars at once in Brazil; see what they were
  • Top 10 Most Powerful Cell Phones December 2021 has Xiaomi at the top
  • Volkswagen starts 2022 by increasing 5 car prices; guess which ones?
  • See photo of the asteroid that approached Earth on Sunday (2)
  • Samsung Announces Galaxy S21 FE with Exynos 2100, 120 Hz Screen and More

You May Also Like