No spoofing protection on multiple critical domains ( delivers to directly inbox)
Categories
(Websites :: Other, task)
Tracking
(Not tracked)
People
(Reporter: zakebenjwal, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
POC.png
Vulnerbility: email spoofing to gmail inbox (google magic verified)
So i got some bounties on bugcrowd and most of them are spoofing related so i just submitted a firefox buffer overflow on client bug bounty program and was just curious to see if how secure mozilla is and their customers. so whenever i try to find any bug on a webapp i 1st go with email spoofing its rare but just take 5 minutes to test so. and then i found mozilla.com is vulnerable so i tried more domains from critical list and i got to know that most of them are vulnerable to email spoofing directly to users inbox as verified mail.
|
Reporter | |
Comment 1•6 years ago
|
||
Discription: no spoofing protection on multiple domains , i am listing them below: mozilla.com mozilla.org firefox.com getfirefox.com getpocket.com so all of these domains are main domains of mozilla and any hacker can send forged emails to your customers saying they are from mozzilla because it directly delivers the mail to inbox and google mark it as important so theres 90% chance most of the people will get fooled and hacked.
Impact: with this vulnerbility an attacker can forge a fake make and send it to victim as it came from any of these vulnerable domains. an attacker can put anything in the email including bad files and links, could ask for bank or mozilla account details or personal information and most of the people will provide all of that just seeing the mail came from official mozilla websites , because an attacker can directly deliver the mail to gmail inbox.so this way an attacker can steal the details about users because people will easily trust the mail.most of the critical hacking attacks happen because of such vulnerbilities because its easy and very powerful to manupulate human brain than computers.
POC: ATTACHING A VIDEO POC
I DONT KNOW WHY MY ALL THIS DESCRIPTION GOT CANCELLED WHILE UPLOADING BUG...SO I AM JUST PASTING IT HERE.
|
|
Reporter | |
Comment 2•6 years ago
|
||
https://drive.google.com/file/d/1VKN5QP9aXDQnsRqObLaCpRoSLc80jYgD/view?usp=sharing
THIS IS MY GDRIVE LINK
YOU WILL FIND VIDEO POC HERE
|
|
Reporter | |
Comment 3•6 years ago
|
||
HERE I CAN EVEN SPOOF bhourigan'S EMAIL ALSO...LOL
|
|
Reporter | |
Comment 4•6 years ago
|
||
and also dylan@mozilla.com ...this one was marked as important because i changed the name as secured...and boom its like you guys sent me this email if i type some email proffesionally like you guys XD
|
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 5•6 years ago
|
||
Thank you for reporting this, zakebbenjwal.
This is a known issue. We're in the process of implementing DKIM/DMARC on our domains, but it's complicated by the fact that the domain is also used as a mailing list, for "mozilla.org" domain at least.
I will get the opinion of others for the remainder of the domains you mentioned, such as firefox.com, getfirefox.com, getpocket.com.
:april, :limed, I've read most of the past issues similar to this but was unable to find DKIM/DMARC details for the above domains. Care to comment?
|
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 6•6 years ago
|
||
(In reply to Caglar Ulucenk [:Cag] from comment #5)
Thank you for reporting this, zakebbenjwal.
This is a known issue. We're in the process of implementing DKIM/DMARC on our domains, but it's complicated by the fact that the domain is also used as a mailing list, for "mozilla.org" domain at least.
I will get the opinion of others for the remainder of the domains you mentioned, such as firefox.com, getfirefox.com, getpocket.com.
:april, :limed, I've read most of the past issues similar to this but was unable to find DKIM/DMARC details for the above domains. Care to comment?
okay sir..you can check that details on mxtoolbox.com
thank you
|
|
Reporter | |
Comment 7•6 years ago
|
||
how do i mark it for bounty consideration?? i am confused ..please help me.
|
|
||
Comment 8•6 years ago
|
||
It is already marked for consideration, we have not made a decision yet.
|
|
Reporter | |
Comment 9•6 years ago
|
||
(In reply to Caglar Ulucenk [:Cag] from comment #8)
It is already marked for consideration, we have not made a decision yet.
ohh..okay..thanks for the reply.
|
||
Comment 10•6 years ago
|
||
We appreciate you participating, but this is a known issue and is ineligible for our bug bounty program:
https://www.mozilla.org/en-US/security/web-bug-bounty/
Good luck bug hunting!
|
|
Reporter | |
Comment 11•6 years ago
|
||
(In reply to April King [:April] from comment #10)
We appreciate you participating, but this is a known issue and is ineligible for our bug bounty program:
https://www.mozilla.org/en-US/security/web-bug-bounty/Good luck bug hunting!
*** This bug has been marked as a duplicate of bug 1285023 ***
only mozilla.org is reported by other bug hunters.
what about other domains?? those are not duplicate.
|
|
Reporter | |
Comment 12•6 years ago
|
||
as in exclusions they said spam....this is not spam.
it is delivering the emails directly to inbox as google magic verified.
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 13•6 years ago
|
||
I have already provided the information. only one website is duplicate i have reported 4 more domains.
i deserve bounty for those four.
:( she marked it duplicate because one domain is reported by someone before.
she did not even read whole report and comments.
|
|
||
Comment 14•6 years ago
|
||
The bug bounty program is very clear on this. It's not just spam, but any issues related to DKIM, DMARC, or SPF are specifically excluded:
• Spam (including issues related to SPF/DKIM/DMARC)
From the page linked directly above.
|
|
Reporter | |
Comment 15•6 years ago
|
||
• Spam (including issues related to SPF/DKIM/DMARC)
this means spam and issues related to spf dkim and dmarc which cause spam is excluded.
i have reported the bug bug on 10 websites which has that line written.
if a issue is causing spam with spf dmarc thats called spam and issues related to dmarc and spf.
because if it delivers to inbox thats now a spam. spam is when the email just fill users mailbox in spam.
thats a valid bug which everyone accepts.
|
||
Updated•4 years ago
|
|
||
Updated•9 months ago
|
Description
•