Closed Bug 1336196 Opened 8 years ago Closed 8 years ago

Email Spoofing

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1285023

People

(Reporter: impactofasho, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

4aa93888ae67206974527834135ee279.png
19.10 KB, image/png
Details
Hi there, Similar to this report submitted to Hackerone itself: https://hackerone.com/reports/575 You also are vulnerable to email spoofing. It came to my attention that due to a lack of mail-server configuration (probably has to do with the way your SPF records are set up, if they are set up), that it is possible to forge emails coming from your domain. Using an online service called emkei.cz I was able to successfully spoof an email to your domain name, send it to my own email and have it land in the inbox of my email account. This is a security threat, spoofing emails can be and are used for dangerous spear fishing attacks and misleading people. Therefore, I wanted to bring this to your attention. Steps to reproduce: 1- Go to https://emkei.cz ( A Fake Mailer ) 2- Set the from to parameter as admin@mozilla.org or any other name 3- The email is sent with any content you'd like to add as the message. Kind regards
Flags: sec-bounty?
Sascha: thank you for reporting this to us, this is something we are aware of. This was reported in bug 1285023 and resolved a WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: