FYI.

This story is over 5 years old.

Tech

Australian Woman Kept Getting Emails for Uber Rides in Kenya

The problem is due to a lack of email verification, and can end up in an account being taken over.

Since July, one woman has received over 200 emails from Uber notifying her of recently completed trips. Many of them were for short rides around Nairobi, Kenya, and she sometimes received several a day.

That might not be particularly unusual; Nairobi is one of Uber's biggest markets in Africa. Except this woman was halfway across the world, in Brisbane, Australia.

"Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk," Mike Montague, an IT specialist and boyfriend of the woman, wrote in a recent blog post. (Montague told Motherboard he did not name the woman in the post for privacy reasons).

Advertisement

Read more: Hacked Uber accounts are being sold on the dark web.

Since the emails were legitimate, the couple was able to access the Kenya-based rider's account by simply requesting a password reset. Once inside, the pair could see the rider's full name, phone number, payment method, and maps allegedly of every trip they had taken since the person had started using Uber.

"Thus we can infer with high probability their home address and common travel destinations," Montague adds, who says he raised the issue with Uber over a number of months.

The root of the problem is really quite simple: the Kenya-based rider registered with an email address, say, firstnamelastname@gmail.com. Montague's girlfriend used a nearly identical email address, except this one had a period in it; so, for sake of example, firstname.lastname@gmail.com.

Gmail, as you might know, doesn't recognize periods in email addresses, at least for personal accounts. In Google's eyes, these two addresses were practically the same one.

"If you have a personal account (typically ending in gmail.com), it doesn't matter if people type the period in your username or not," Google's support website reads. When Uber was automatically sending emails to the address registered with the Kenyan account, they were instead going to Montague's girlfriend.

The issue isn't just related to how Google handles email, but also the fact that Uber does not always force users to verify their email address.

"The vast majority of people create Uber accounts on a mobile device (where they may or may not have access to email), so we verify the phone number used when a new account is created," Melanie Ensign, a spokesperson for Uber, told Motherboard in an email.

So it's arguably a user experience decision. But it does still leave open the possibility of an easy password reset and account hijack.

Since publishing his blog post, Montague says Uber has deleted the account he had access to.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.