Hello Team ,

 

I am an ethical hacker, bug bounty hunter and security researcher, I identify bugs in websites and provide vulnerability assessment of the identified issues.
I have found an email spoofing issue in your website which can allow anyone to send emails from “emailhere” to any other users. Please find the details of the bug below.
I am hoping to receive a bug bounty reward for the responsible disclosure of this issue and hope to report further bugs once this is pursued and remediated.

 

Vulnerability: No DMARC Record Found

I just sent a forged email to my email address that appears to originate from “

press@lists.podman.io
. I was able to do this because of the following DMARC record:

 
;
DMARC record lookup and validation for:

lists.podman.io
"No DMARC Record found"

 

Description:

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. DMARC Record contains the policy which determines how to handle unauthenticated/forged emails. Its lack can allow attacker to abuse the domain name.

 

Fix:

1)Publish DMARC Record.

2)Enable DMARC Quarantine/Reject policy

3)Your DMARC record should look like
;
"v=DMARC1; p=reject; pct=100; ri=86400; rua=mailto:
press@lists.podman.io
 

POC:

This can be done using any php mailer tool like this ,

<?php

$to = "VICTIM@example.com";

$subject = "Password Change";

$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";

$headers = "From: i;

press@lists.podman.io
 ";

mail($to,$subject,$txt,$headers);

 

?>

 

You can check your DMARC record form here : https://mxtoolbox.com/DMARC.aspx

 

References:

;1) https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records

2) https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-run-impactful-and-secure-campaigns-in-light-of-covid-19/

3) https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/

 

 

Impact:

This is useful in phishing. The attacker can send forged emails from your domain granting him the ability to pose as the company’s official and send scam emails to your website user asking them for money or credentials.

 

 

Let me know if you need furthermore assistance required, or if you have any other questions.

 

Thanks,

Regards
ARMAN KTK
image.png
image.png