Vulnerability Found : Email Spoofing
Nicolás Alvarez
nalvarez at kde.org
Sat Apr 3 21:44:02 BST 2021
This is not a vulnerability. Adding DMARC records would break several
workflows our systems and users use.
If missing a DMARC record was always universally a vulnerability, why
would it even be optional? Mailservers would just act as if it was
always present.
It's quite suspicious that your email is so similar to another we got
a week ago from another "security researcher" about the same
"vulnerability". What automated tool are you using to scan for this?
--
Nicolás
KDE Sysadmin Team
El sáb, 3 de abr. de 2021 a la(s) 17:28, Benjamin Henry
(whitehattester202 at inbox.eu) escribió:
>
> Hello IT Team,
>
> I am a professional freelance security researcher. I have taken the liberty of performing a cursory audit of your website's public security configuration (the public-
> facing information for: kde.org and associated services), and have discovered a vulnerability that I believe you would appreciate being made aware of. In the spirit
> of responsible disclosure, I have included a report for one of the issues below, detailing the exact nature of the vulnerability, and would greatly appreciate
> consideration for a bounty reward from your department if such is available. If I do not receive a response I may attempt to contact you again once or twice in an
> effort to ensure my message has reached you.
>
>
> DESCRIPTION:
>
> The issue I’m going to discuss here is Email Spoofing. To demonstrate the authenticity of the issue I just sent a forged email to tm360289 at gmail.com that appears
> to originate from security at kde.org . I was able to do this because of the following:
>
> DMARC record lookup and validation for: kde.org
>
> "No DMARC Record found"
>
> And
>
> “DMARC Quarantine/Reject policy not enabled"
>
>
>
> Recommended Fix :
> 1) Publish a DMARC Record.
> 2) Enable DMARC Quarantine/Reject policy
> 3) Your DMARC record should look like
> "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info at domain.com"
>
>
>
> You can send a forged test email by using any PHP mailer tool like this
>
> <?php
> $to = "VICTIM at example.com";
> $subject = "Password Change";
> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
> $headers = "From: security at kde.org . ";
> mail($to,$subject,$txt,$headers);
>
> ?>
>
> Impact :
>
> These attacks may be used to launch phishing attacks so as to get information from users. In addition, these may be used to spam users with emails. Spoofed
> emails are also used to carry infections like Trojans to do harm to victim systems.
>
>
> You can check your DMARC record at: https://mxtoolbox.com
>
> References:
> https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records
>
> https://www.dmarcanalyzer.com/dmarc/
>
> https://www.digitalshadows.com/blog-and-research/security-practitioners-guide-to-email-spoofing-and-risk-reduction/
>
>
> Let me know if you need me to send another forged email, or if have any other questions. I’m hoping to receive a bounty reward for my current finding. I will be
> looking forward to hear from you on this and will be reporting other vulnerabilities accordingly.
>
>
> Thanks,
>
> Regards:
> Benjamin Henry
>
>
More information about the kde-www
mailing list