The Bug Bounty Swarm paid out 4 HNY ($2000 at time of payment) to a user for responsibly disclosing an issue that would allow anyone to spoof the 1hive.org domain and send emails from it eg from [email protected]. This issue has now been fixed with help from @lkngtn and @crisog.
Using the CVSS risk rating scale we scored the vulnerability 4.7 which amounts to a reward of up to $2000 in Honey as specified in the bug bounty specification.
It should be noted that this vulnerability has nothing to do with the smart contracts and although the bug bounty specification implies it is only for smart contracts we still considered it worth paying out a bounty for this disclosure.
For reference I was contacted directly on Discord and the original vulnerability report is below:
Hello Team,
I am a security researcher and I have found a vulnerability on your website/domain.
Summary:
I just checked for DMARC records and DMARC policy for 1hive.org domain and there are none.
I also checked for SPF records and there are issues with it-soft fail. (pics attached)Effectively allowing for spam to originate from that domain.
You can validate by testing yourself over here: mxtoolbox.com
Severity: Medium
Steps to Reproduce:
This can be done using any php mailer tool like this ,
<?php $to = "[email protected]"; $subject = "Get Free Airdrops"; $txt = "Click below to get airdrops - [VIRUS LINK HERE]l"; $headers = "From: [email protected]"; mail($to,$subject,$txt,$headers); ?>Impact:
This is useful in phishing, and this type of vulnerability is news worthy
Due to this vulnerability, any hacker can send a forged email to your customers using your domain .Thus, getting sensitive information of your customers like login details,personal information,forced-download a virus/malware etc.
Also when an attacker sends an email to your customers asking them to change their password or to get airdrops of your coin/token or even buy your product on discount.The customer,after seeing the mail,might consider the mail as legit and falls for the trap.
In doing this the attacker can take them to his website where certain JavaScript is executed which steals customer’s session id and password.
The results can be more dangerous and impactful.Fix:
You can find the SPF fix over here : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
For DMARC record : https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/
and DMARC policy here: https://support.rackspace.com/how-to/create-a-dmarc-policy/
Let me know if you need me to send a forged email.
Note: I am expecting a bounty for this responsible disclousure and I would like to report more in the future.
Regards,
Phoenix
Thanks to the reporter for the responsible disclosure. We welcome any further sharing of vulnerabilities in accordance with the Bug Bounty Program.
