Since July, one woman has received over 200 emails from Uber notifying her of recently completed trips. Many of them were for short rides around Nairobi, Kenya, and she sometimes received several a day.
That might not be particularly unusual; Nairobi is one of Uber’s biggest markets in Africa. Except this woman was halfway across the world, in Brisbane, Australia.
“Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk,” Mike Montague, an IT specialist and boyfriend of the woman, wrote in a recent blog post. (Montague told Motherboard he did not name the woman in the post for privacy reasons).
Since the emails were legitimate, the couple was able to access the Kenya-based rider’s account by simply requesting a password reset. Once inside, the pair could see the rider’s full name, phone number, payment method, and maps allegedly of every trip they had taken since the person had started using Uber.
“Thus we can infer with high probability their home address and common travel destinations,” Montague adds, who says he raised the issue with Uber over a number of months.
The root of the problem is really quite simple: the Kenya-based rider registered with an email address, say, firstname.lastname@example.org. Montague’s girlfriend used a nearly identical email address, except this one had a period in it; so, for sake of example, email@example.com.
Gmail, as you might know, doesn’t recognize periods in email addresses, at least for personal accounts. In Google’s eyes, these two addresses were practically the same one.
“If you have a personal account (typically ending in gmail.com), it doesn’t matter if people type the period in your username or not,” Google’s support website reads. When Uber was automatically sending emails to the address registered with the Kenyan account, they were instead going to Montague’s girlfriend.
The issue isn’t just related to how Google handles email, but also the fact that Uber does not always force users to verify their email address.