While the headline might read as being about the launch of a potentially helpful feature for Uber passengers, this isn’t the case at all.
Instead, a software bug means that almost anyone can send an email from Uber’s website. Naturally, this could have potentially severe implications and lead to things like phishing and other types of cyber scams.
At the time of writing, Uber hadn’t taken any action to address this issue.
Problem uncovered by security researchers
Security researchers found an exposed endpoint on Uber’s servers, which means anyone can use the email and marketing platform SendGrid to send emails on behalf of Uber. As the email seems to be coming from Uber, a hacker could write a malicious link or code into an email or send out a phishing campaign, and recipients would find it in their inbox and assume it’s a legitimate email.
Potential issues demonstrated by researchers
According to TechRadar, security researcher and so-called “bug bounty hunter” Seif Elsallamy sent out a demonstration email showing the relative ease with which scam attempts could succeed. Elsallamy created a warning email saying a user account was about to be suspended and that they’d need to re-submit their payment data.
If emails were able to be sent en masse, potentially millions of people could end up thinking they need to submit their payment card details and instantly put themselves at risk of fraud. Yet, in their eyes, they’ll have simply secured their Uber account!
Why isn’t Uber doing anything?
At the time of writing, Uber hadn’t responded to requests for comment on top of its lack of action.
According to Elsallamy, Uber believes that “some form” of social engineering would need to occur for the flaw to be used successfully, hence its lack of action.
The lack of action or urgency from Uber is somewhat surprising given it has previous history of falling victim to data breaches. In 2016, the company suffered a breach that exposed personal details for 57 million customers and drivers. The Information Commissioner’s Office fined Uber $520,000 following the incident, with the Netherlands data watchdog levying a further $680,000 fine against them.
Uber’s lack of action means users will need to be super-vigilant in the coming days and weeks to avoid falling victim to fraud.
It’s vital to remember that you could receive a scam email that appears to legitimately come from Uber. As such, it would be prudent to avoid clicking any links in emails from Uber in the coming weeks. If you receive any notifications about making changes to your account, delete the email and log in to your account online or via the app to check if the changes really do need making.