How I could did an Identity Spoofing attack due a DNS Misconfiguration in AT&T.
The first vulnerability I found in HackerOne.com as a bug bounty researcher was in AT&T DNS servers. They had a misconfiguration in many tags, one of them the SPF records. To be specific, the entire SPF record was empty. What does it mean? It means that the emails servers aren´t being verified, so I can send an email like the ceo of AT&T and the email will arrive to it’s destiny like if it is legit. This could be triggered from a email server mounted by me in a raspberry pi or VPS.
Check your SPF and other DNS settings in: mxtoolbox
Can you get the dimension of damage you can do in a phishing attack?
Here is the report I’ve submitted, they never disclosed it, and pinned it like duplicate report. But the vulnerability was fixed in 2 or 3 days:
The fake email I sended from email@example.com to me:
I used a free mailer, but in a real case a PHP mailer in a cloud virtual host could do the job.
DNS misconfiguration in a SPF record may end with a successfull phishing attack, if sensitive information is leaked it can significate a big headache and money losses in a scale of corporation like is AT&T.
Here I found a nice and very well explained guide to generate a SPF record, just add a new TXT tag in your DNS config and fill with the SPF info:
Thanks for reading!