Security News > 2022 > January > Uber dismisses vulnerability that lets you email anyone as Uber!
A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.
Imagine getting a message from Uber stating, 'Your Uber is arriving now,' or 'Your Thursday morning trip with Uber'-when you never made those trips.
The email sent by the researcher "From Uber" to BleepingComputer passed both DKIM and DMARC security checks, according to email headers seen by us.
Elsallamy tells BleepingComputer that it is an exposed endpoint on Uber's servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.
Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.