Are you sure this is a trusted email?

Khaled Hassan
Jun 5, 2018 · 4 min read

Hey,

This is my first writeup about a security vulnerability that I have recently found in a private bug bounty program.

This program is a popular accountant software. The story started when I was going to send an Invoice that I have created on the website to an external email address.

So I sent the invoice to my test email address and I noticed something strange, I noticed that the website emailing system uses the customer email address to send the invoice email on behalf of his email address and that was rather odd to me because I didn’t see this function before , So I decided to take a deep look at this feature.

The HTTP request of sending invoice was something like this

Image for post
Image for post

Quickly I noticed that mail_from parameter is under control of attacker. Then I tried to modify this parameter to the email address that website uses to emailing their customers which is ( info@website.com ) and I changed my account name to be the same which is ( Team reacted )

And after a few seconds of sending the request. I found this in my inbox.

Image for post
Image for post

I really was shocked by the result. The email has been sent behalf of website system itself. So I started to figure out the cause of this vulnerability and thought of ways to exploit it.

So let me explain how this happened. The first step, I started to compare between two emails , that I sent from ( info@website.co ) using vulnerability I found, and another one that website emailing system has sent when I required to resetting my password.

The header of two emails was as follows:

Details of email that I sent to myself using the vulnerability:

To: team@seecureapp.comSubject: Just a messageSPF: PASS with IP 203.25.220.41 Learn moreDKIM:'PASS' with domain zonevs.eu Learn more``

Details of email that website system has sent to me when I required password reset:

To: khaled <khaled.hassan@seecureapp.com>Subject: Password resetSPF: PASS with IP 203.25.220.41 Learn moreDKIM: 'PASS' with domain zonevs.eu Learn more

As we can see, there is no any difference in two examples. From here we can find out that the SMTP server that responsible for sending emails using the vulnerable endpoint, is the same server that website using to emailing their customers.

How I exploited this?

So I wanted to make the attack more successfully. Quickly I browsed to one of emails that website has sent to me when I was resting my password. Then I copied the HTML code of this email template.

Abusing website features

The website allows you to make email templates that you can use when send invoices. So I copied the HTML code of their original email and put it as email template

Original email

Image for post
Image for post

Adding source code of their email >>>

Image for post
Image for post

Email template after I put it as invoice e-mail:

Image for post
Image for post

But what is inside Click here button? I have reported Subdomain takeover to the program and it has been fixed now. so I can’t use the subdomain takeover issue here. But I have good trick.

When you register an account at the website. The accounts of users are being registered like ( seecureapp.website.com ) so I registered an account username with this name ( payments.reacted.com ) To convince the user that this is the payment page.

Abusing webforms on the website:

This website also allows you to create a web form on your account to survey your customers. so I created a webform in payments account by this way.

Image for post
Image for post

Another exploit:

Image for post
Image for post

So now I can ask website users to enter their passwords and credit cards as well and their credentials will be sent to me as webform answers.

Lessons learned:

  1. When you test a website that sends emails behalf on user email. Don’t forget to test this attack, I tested it many many times and it get success in every website I face.
  2. Try to abuse website features as you can. This was not too exploitable until I used some features in the attack.

Timeline.

Report Submitted : 30–4–2018

Report Triaged : 30–4–2018

$900 bounty Awarded : 7–5–2018

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store