A security researcher recently found and disclosed a vulnerability to Uber for which the corporate giant refused to acknowledge. Exploiting the vulnerability allows an adversary to send fake emails via the “uber.com” domain.
Uber.com Domain Vulnerability Allows Fake Emails
In a recent tweet, bug bounty hunter Seif Elsallamy shared a snapshot revealing Uber’s response to his bug report. The messages in the screenshot hinted at Uber’s misunderstanding of a vulnerability as a social engineering attack.
heck this days with triage teams, they don't understand their own policies @Uber @Uber_Support @Hacker0x01 pic.twitter.com/kCQqwR3M3b
— SAFE ? (@0x21SAFE) December 31, 2021
Then, in another tweet, Elsallamy challenged Uber while sharing a snippet of the proof-of-concept (and taunting for a 2016 hack).
Hi @Uber @Uber_Support bring your calc and tell me what would be the result if this vulnerability has been used with the 57 million email address that has been leaked from the last data breach?
If you know the result then tell your employees in the bug bounty triage team. pic.twitter.com/f9yKIoCJ6O— SAFE ? (@0x21SAFE) December 31, 2021
Elaborating further on this matter, Bleeping Computer revealed that the researcher specifically discovered a security vulnerability with the uber.com domain. The researcher observed that exploiting the vulnerability allows an adversary to send emails via Uber’s domain. In real-time, such exploitation can wage severe phishing attacks since the emails would appear legit to the recipient.
Demonstrating the PoC, Bleeping Computer explained how the researcher sent them an email from Uber’s domain with fake text. Since the email originated from legit servers, it arrived directly to the recipient mailbox, raising no red flags.
That fake email had a form asking the recipient to submit payment card details. This explained how an actual adversary can exploit the flaw to generate legit-looking phishing scams since the recipient would inevitably share the details with “Uber”.
According to Elsallamy, the vulnerability is an HTML injection flaw typically residing within an exposed endpoint on Uber servers.
Uber Denied A Fix
Upon finding this vulnerability, the researcher responsibly disclosed the bug to Uber via their HackerOne bug bounty program.
However, to his dismay, Uber officials did not acknowledge the flaw, calling it a “social engineering attack” (when it clearly isn’t).
Regarding the possible fix from Uber, the researcher told Bleeping Computer,
They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.
For now, it remains unclear if Uber plans to revert the decision on this bug report and fix the bug.