Researcher Seif Elsallamy recently discovered a vulnerability in Uber’s emailing system, which allows anyone to send an email on behalf of the company. If exploited, threat actors would be able to email the 57 million Uber users and drivers whose data was leaked in the 2016 data breach. Uber has been made aware of the flaw, although a fix has yet to be issued.
Any emails sent using this flaw would appear as legitimate to an email provider, and would therefore surpass the spam filters. In some cases, Uber customers could be urged to provide credit card information. However, the vulnerability report was rejected by Uber for being “out-of-scope”.