How I could did an Identity Spoofing attack due a DNS Misconfiguration in AT&T.

The first vulnerability I found in HackerOne.com as a bug bounty researcher was in AT&T DNS servers. They had a misconfiguration in many tags, one of them the SPF records. To be specific, the entire SPF record was empty. What does it mean? It means that the emails servers aren´t being verified, so I can send an email like the ceo of AT&T and the email will arrive to it’s destiny like if it is legit. This could be triggered from a email server mounted by me in a raspberry pi or VPS.

Check your SPF and other DNS settings in: mxtoolbox

Can you get the dimension of damage you can do in a phishing attack?

Here is the report I’ve submitted, they never disclosed it, and pinned it like duplicate report. But the vulnerability was fixed in 2 or 3 days:

The fake email I sended from support@att.com to me:

I used a free mailer, but in a real case a PHP mailer in a cloud virtual host could do the job.

DNS misconfiguration in a SPF record may end with a successfull phishing attack, if sensitive information is leaked it can significate a big headache and money losses in a scale of corporation like is AT&T.

Here I found a nice and very well explained guide to generate a SPF record, just add a new TXT tag in your DNS config and fill with the SPF info:

https://www.validity.com/blog/how-to-build-your-spf-record-in-5-simple-steps/

Thanks for reading!

pentesting, hacking stuff, web & software developer, music stuff