A serious breach in Uber’s servers could allow attackers to send emails to users on behalf of the company. The breach was spotted last week by a security researcher and primarily puts at risk the 57 million people who had their data leaked as part of an exhibition that took place in 2017, with a publicly available database containing both passengers and drivers .
The idea is even simple for an attacker, who already has confirmation that this volume belongs to users of the company’s services. As such, they would be more susceptible to receiving a fraudulent message on behalf of Uber, which could be used for data theft and malware installation, as well as other types of scams involving racing, food and product deliveries, and corporate accounts .
The proof of concept for the exploit was presented to the Bleeping Computer website by researcher Seif Elsallamy. He sent the report an e-mail that appears to originate from the company’s servers and domains, informing of a blockage in a corporate account and requesting credit card data for reactivation. If filled in, the fields would have the information sent back to a platform under his control, outside the transport service’s systems.
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
It helps to exploit the fact that the message has gone through the usual security checks and, as it comes from a legitimate server, ends up being understood as such by antispam systems, even if its content is dangerous. Also, the communication came out of an email marketing system recognized and used by large companies to send mass messages to their customer base.
According to Elsallamy, the problem lies with an endpoint on one of the company’s servers, which would be susceptible to an attack involving the injection of code into HTML. He claims that a similar loophole in Facebook was spotted in 2019 by security researcher Youssef Sammouda and fixed through the company’s bug bounty program.
This was not the case for Uber, however, with the company denying the validity of the breach by claiming that it would only apply after a social engineering attack against a company employee. This was not the case, confirmed by the researcher, and the report also points to three other cases in which a similar vulnerability was reported and not corrected by the company.
Attention to the details
The flaw remains active and, while there is no evidence of malicious exploitation, the details have been kept confidential precisely to prevent this. Only the disclosure that such a breach exists, however, should prompt criminals to seek the opening, which can still be used by criminals while the company does not take a stand on the problem.
Users are advised to be cautious about all types of emails that arrive on behalf of services or platforms. It is worth paying attention to the language, terms and even the type of data requested, avoiding clicking on links or filling in information without being absolutely sure what you are doing; when in doubt, it is better to ignore the contact or, instead, seek the official means of support.
THE Kenyannews contacted Uber about the matter, but the company had not returned until the publication of this report.
