Jan 6, 2022
77 Views
0 0

Uber Bug, Ignored for Years, Casts Doubt on Official Uber Emails

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A simple-to-exploit bug that allows bad actors to send emails from Uber’s official system – skating past email security – went unaddressed despite flagging by multiple researchers.
A security vulnerability that would allow malicious attackers to send email from Uber’s network appears to be closed – but users could have been swindled already. The easy-to-find bug has been hanging around for years, ready to take Uber’s customers for a ride of a very different sort.
According to Seekurity security researcher and bug-hunter Seif Elsallamy, the HTML-injection issue made it possible to tap into an internet-facing internal Uber API endpoint in order to send out email directly from Uber’s email system (the company uses the SendGrid platform); since the emails would be coming from an authentic sender, they wouldn’t trigger normal email security filters like DMARC or DKIM.

Obviously, the bug opened a gaping opportunity for cyberattackers to send out social-engineering emails to the ride-sharing giant’s nearly 100 million users – perhaps a message asking them to “verify” their account info or “update” their credit-card information.
Elsallamy forwarded a proof-of-concept example of a possible attack email to BleepingComputer:
The danger seems particularly pertinent given that Uber suffered a data breach in 2016 that involved the email addresses of 57 million of its users, the researcher pointed out:
heck this days with triage teams, they don't understand their own policies @Uber @Uber_Support @Hacker0x01 pic.twitter.com/kCQqwR3M3b
— SAFE 😵 (@0x21SAFE) December 31, 2021

He also submitted a bug report via HackerOne to Uber, but the issue was rejected because the triage team mistakenly thought exploitation involved the social engineering of Uber employees:
Hi @Uber @Uber_Support bring your calc and tell me what would be the result if this vulnerability has been used with the 57 million email address that has been leaked from the last data breach?
If you know the result then tell your employees in the bug bounty triage team. pic.twitter.com/f9yKIoCJ6O
— SAFE 😵 (@0x21SAFE) December 31, 2021

 
Making matters worse, he wasn’t the first to report it and be rebuffed; at least two other researchers filed the same issue, with the same result – one as long ago as 2015. That’s a lot of time for possible exploitation to have occurred.
“I don’t have evidence that this bug has been exploited in the wild, but since the report has been duplicated, that means at least one researcher has reported it before me,” Elsallamy told Threatpost. “So, it looks like that it is an easy-to-spot issue [and] I hope that it has not been exploited in the wild. The exploitation was not difficult, it only requires basic HTML and CSS knowledge.”
i reported this issue on @Hacker0x01 last year and triager closed it as informative xD pic.twitter.com/29yxgTV287
— ${jndi:ldap://mainteemoforfun} (@wld_basha) January 2, 2022

“The researchers and Uber’s employees are just doing their job, and I understand that Uber receives a lot of false reports,” Elsallamy told Threatpost. “But they have at least to spend five minutes in the report that had taken me days to prepare. Uber’s customers are who will pay for our faults in the end.”
He noted that a fix would be simple: “The issue is not difficult to fix, I think it will be only one or two lines of code,” he said. “They should sanitize the users’ input through security encoding library, so any HTML appears as a normal text.”
Since the story was reported earlier this week, it appears that Uber has fixed the vulnerability – “because I am unable to reproduce the issue anymore,” Elsallamy said. However, because it’s unknown whether the vulnerability has been exploited in the years that it existed, customers who gave up personal information in response to an official Uber email should take action to change their passwords immediately.
Additionally, “I advise Uber customers to use unique passwords, use credit cards with a limited amount of money available online if they don’t want to hold cash, and to use two-factor authentication whenever possible to limit the damage if any of their data has been compromised,” he said.
Uber did not immediately return a request to comment on this story.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.
 
Share this article:
Activision is suing to shut down the EngineOwning cheat-code site and hold individual developers and coders liable for damages.
The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week.
ESXi version 7 users are still waiting for a full fix for a high-severity heap-overflow security vulnerability, but Cloud Foundation, Fusion and Workstation users can go ahead and patch.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
3 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.