Uber lets you send anyone an email claiming to be from Uber.com:
[The] software bug means that pretty much anyone can currently send an email from the Uber.com domain. No, Uber has not intentionally done so. It is, however, choosing to ignore the problem at the moment.
These are the conclusions of multiple security researchers, which blame an exposed endpoint on Uber's servers allowing anyone to use SendGrid, an email marketing and customer communications platform, to send emails on behalf of the taxi ride giant.
The vulnerability is "an HTML injection in one of Uber's email endpoints," security researcher and bug bounty hunter, Seif Elsallamy, told BleepingComputer. These emails can pass both DKIM and DMARC security checks and land safely in people's inboxes, the report adds.
In a demonstration email, Elsallamy crafted a message warning the user that their account is about to be suspended and that they need to re-submit their payment data. Such emails, which could easily be leveraged to obtain sensitive and payment data from millions of paying Uber customers, would be sent from a legitimate Uber domain. This is just an example of the potency of the flaw. Distributing malware, ransomware, or simple spam, are all realistic possibilities.
To fix the issue, Uber needs to "sanitize the users' input in the vulnerable undisclosed form", he explains.
(Score: 4, Insightful) by Anonymous Coward on Thursday January 06 2022, @03:10AM (2 children)
Nope. Uber needs to die die die. Or as the Nomad space probe said when it discovered Kirk wasn't it's creator - "Error. Must sterilize sterilize ste-ri-lize."
(Score: 2, Interesting) by Anonymous Coward on Thursday January 06 2022, @03:43AM (1 child)
Are they even profitable at this point?
https://techcrunch.com/2021/11/04/uber-squeaks-tiny-adjusted-profit-in-q3-despite-2-4b-net-loss/ [techcrunch.com]
(Score: 4, Interesting) by SDRefugee on Thursday January 06 2022, @05:15AM
Nope, and I suspect they never will be. I drove for them for 3 years, and quit when the plandemic hit in Mar '20. It would be a cold, cold day
in hell before I'd EVER consider driving for them again. They are a shit company.
America should be proud of Edward Snowden, the hero, whether they know it or not..
(Score: 4, Touché) by SomeGuy on Thursday January 06 2022, @03:38AM
Don't worry, they will just pick up their smart phone, use a handy dandy app, and summon an Indian programmer, who will deliver a half-assed fixed and then disappear back in to the either.
And, no, you can't use a desktop computer for that because computers are ooooold.
(Score: 4, Funny) by Anonymous Coward on Thursday January 06 2022, @09:51AM (1 child)
From: gary@uber.com
Guys, can you stop like stop hacking my email? I just had to explain to my mom that was not *my* cock.
(Score: 0) by Anonymous Coward on Friday January 07 2022, @12:47PM
> I just had to explain to my mom that was not *my* cock.
Why are you even discussing your "cock" with your Mom? Does she shoulder surf?
Forget it, I don't want to know.
(Score: 3, Insightful) by bart9h on Thursday January 06 2022, @02:34PM
sanitizing user input is perhaps the first and most basic security concern.
it's impressive how big companies still fall bobby-tables tricks.