Security News > 2022 > January > Uber Bug, Ignored for Years, Casts Doubt on Official Uber Emails
The easy-to-find bug has been hanging around for years, ready to take Uber's customers for a ride of a very different sort.
According to Seekurity security researcher and bug-hunter Seif Elsallamy, the HTML-injection issue made it possible to tap into an internet-facing internal Uber API endpoint in order to send out email directly from Uber's email system; since the emails would be coming from an authentic sender, they wouldn't trigger normal email security filters like DMARC or DKIM. Obviously, the bug opened a gaping opportunity for cyberattackers to send out social-engineering emails to the ride-sharing giant's nearly 100 million users - perhaps a message asking them to "Verify" their account info or "Update" their credit-card information.
"The researchers and Uber's employees are just doing their job, and I understand that Uber receives a lot of false reports," Elsallamy told Threatpost.
Since the story was reported earlier this week, it appears that Uber has fixed the vulnerability - "Because I am unable to reproduce the issue anymore," Elsallamy said.
Because it's unknown whether the vulnerability has been exploited in the years that it existed, customers who gave up personal information in response to an official Uber email should take action to change their passwords immediately.
Uber did not immediately return a request to comment on this story.