Uber was recently notified of a vulnerability that a security researcher discovered and published, but the company refused to acknowledge it. An attacker can use the security flaw to send fake emails from the “uber.com” domain.
Vulnerability in Uber.com Domain Allows Fake Emails
Seif Elsallamy, a bug bounty hunter, recently tweeted a snapshot of Uber’s response to his bug report. According to the messages in the screenshot, Uber mistook the vulnerability for a social engineering attack.
Bleeping Computer went on to say that the researcher uncovered the security flaw with the uber.com domain. According to the researcher, exploiting the vulnerability allows an attacker to send emails using Uber’s domain. Since the emails appear legitimate to the receiver, such exploitation can be used to carry out serious phishing attacks in real time.
Bleeping Computer demonstrated the PoC by explaining how the researcher sent them a email from Uber’s domain with fake text. Since the email are sent from legitimate servers, it went straight to the recipient’s inbox, generating no red flags.
The recipient of the fake email was asked to fill out a form with payment card information. This showed how an real attacker could use the flaw to create legitimate-looking phishing scams since the recipient would inevitably share the details with “Uber”. The vulnerability, according to Elsallamy, is an HTML injection flaw that often exists within an exposed endpoint on Uber servers.
Uber’s Non-acceptance of Flaw
The researcher responsibly notified the vulnerability to Uber via their HackerOne bug bounty program after discovering it. Uber authorities, to his dismay, refused to acknowledge the flaw, referring to it as a “social engineering attack” (which it plainly isn’t). According to the researcher, who spoke to Bleeping Computer about the probable Uber fix for the security vulnerability.
“They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.”
For the time being, it’s unclear whether Uber intends to reverse its decision on this bug report and address the security flaw.