Security News > 2022 > January > Uber ignores vulnerability that lets you send any email from Uber.com
A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.
Imagine getting a message from Uber stating, 'Your Uber is arriving now,' or 'Your Thursday morning trip with Uber'-when you never made those trips.
Bug bounty hunters Soufiane el Habti and Shiva Maharaj claim they had reported the issue to Uber earlier without success [1, 2, 3]. 57 million Uber customers and drivers at risk.
Elsallamy tells BleepingComputer that it is an exposed endpoint on Uber's servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.
Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.