A vulnerability in Uber’s email system allows just about anyone to send emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.
Uber seems to be aware of the flaw but has not fixed it for now.
‘Your Uber is arriving now’
Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber’s systems that enables anyone to send emails on behalf of Uber.
These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters.
Imagine getting a message from Uber stating, ‘Your Uber is arriving now,’ or ‘Your Thursday morning trip with Uber’—when you never made those trips.