If you receive an email from Uber asking for your credit card details, be careful: there is a failure that the company will not solve


A vulnerability in Uber’s email system allows almost anyone to send emails on Uber’s behalf. These emails, that can be sent from Uber’s servers, they seem legitimate to any email provider (because they technically are) and would pass any spam filter.

Uber seems to be aware of the glitch, but it hasn’t fixed it for nowAccording to what security researcher and bug bounty hunter Seif Elsallamy has discovered, who was the one who saw how anyone can send emails impersonating Uber.


This vulnerability can serve to steal your data

Email From Uber

Image posted on Bleeping Computer

Remember that in 2016 The information of 57 million Uber users and drivers was leaked. So if a cybercriminal wants to take advantage of this bug, they have a good database to turn to.

In fact, these information were sold on the Darknet as we publish from Genbeta. A year before that, in 2015, there was also a security breach that exposed the information of tens of thousands of drivers of the app.

How could you use this vulnerability by a cybercriminal? According to the researcher who discovered the bug, an app customer could receive a message saying “Your Uber is coming now” or “Your Thursday morning ride with Uber” when you’ve never booked this ride and cause confusion.

Uber can't find drivers in the United States: why the situation in Spain is very different

But even more dangerous than that, a customer could receive a message from Uber saying that you have to update your credit card details or your payment details. Elsallamy himself sent a journalist from Bleeping Computer an email message that seemed to come from Uber (as you can see in the previous photo) and that according to the information provided, it reached the inbox, not the one from spam, which is logical because it comes from the VTC app server itself.

In the test email sent to show that this error can be dangerous, it also shows that the cybercriminal can add a link to a malicious website to the email, where the person can enter these key details of their bank card.

The investigator reported the vulnerability to Uber through its HackerOne bug bounty program just before kickoff in 2022. It is unknown if anyone has taken advantage of this bug so far, but the researcher says Uber has ignored the bug report.

Specifically, when the investigator sent his discovery to Uber, the complaint was rejected by be “out of reach” as it assumes that exploiting the glitch requires some form of social engineering. After learning this, other researchers have said they previously informed Uber of the error, so it is not something new.


Please enter your comment!
Please enter your name here