Computer security researcher Seif Elsallamy has reported to Uber the presence of a security flaw in its mailing system. This would give anyone the opportunity to send an email on behalf of the company to more than 57 million users and drivers, reports BleedingComputer relayed by Phonandroid. The data of these accounts had indeed already been disclosed during a hack in 2016.
This flaw could thus prove to be particularly dangerous, emails sent in this way coming directly from the company and can therefore be easily mistaken for the real ones. These emails would even pass through the loopholes of the spam filter of the email services, being “technically speaking” legitimate. It is therefore the nature of the requests (information of bank details or sensitive data) that will have to be analyzed to avoid any scam.
A flaw discussed by Uber
Among the 57 million accounts potentially reachable in this way, we find in particular all the French Uber customers who were registered in 2016, i.e. 1.4 million users. At the time of this hack, the CNIL had thus condemned the company to a fine of 400,000 euros for having massively endangered the data of French users.
Informed of this flaw by the report sent by Seif Elsallamy, the company did not admit the existence of this security problem, believing that this flaw alone did not allow a hacker to send an email on behalf of the business. A reading disputed by Seif Elsallamy, who for his part assured that this access point allowed anyone to create an email on behalf of Uber. Note that this security problem had already been reported to the company by researchers Soufiane el Habti and Shiva Maharaj, without their obtaining a response.