The DMARC record is not properly configured

Disclosed by
Cutiapreta
  • Engagement Linktree
  • Disclosed date over 1 year ago
  • Points 5
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Cutiapreta

Dmarc record's misconfiguration

Report details

  • Submitted

  • Target Location

    *.odesli.co

  • Target category

    Web App

  • VRT

    Server Security Misconfiguration > Mail Server Misconfiguration > Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain

  • Priority

    P4
  • Bug URL
    Empty
  • Description

    Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain

    Description:

    When I create an account or perform any actions like a password reset for testing on the 'odesli.co' website, I receive emails from the email domain 'support@odesli.co.' However, when I check the DMARC record of the 'odesli.co' email domain, I find that the domain's policy is not set, which makes email spoofing possible from this email domain.
    image-2023-10-26T09:30:20.494Z.png

    Confirmation of vulnerability steps:

    1. First, open your Linux terminal, whether it's Kali or Parrot.

    2. Next, use the nslookup command with the following command: 'nslookup -type=txt _dmarc.odesli.co '

    3. Now you can see in there is not dmarc record found.

    4. Which means that email's domain is vulnerable for spoofing.

    image-2023-10-26T09:35:09.209Z.png

    Exploitation steps:

    1. Save the attached email spoofing script to your Linux system.

    2. Give command in kali or parrot : 'apt install postfix && apt install sendemail'

    3. Provide executable permission to the script by running the following command: chmod +x mailspoofer.sh

    4. Execute the script by using the following command, replacing receiver_email with the target recipient's email address: bash mailspoofer.sh receiver_email.

    5. After executing mailspoofer.sh, you will be prompted to enter the email address where you want to send the phishing email. Input the email address you wish to target.

    Proof of Concept (PoC)

    The screenshot(s) below demonstrates the mail server misconfiguration:

    Spoofed mails:

    Phishing by resetting password
    image-2023-10-26T09:36:37.435Z.png

    Phishing by pending payment
    image-2023-10-26T09:38:03.725Z.png

    Impacts:

    I can exploit this situation as an attacker to potentially deceive your customers through phishing attacks, potentially extracting significant funds and acquiring their credentials quite easily

    We all know that major cyber attacks on companies often begin with email spoofing, accounting for up to 50% of such incidents. Therefore, these vulnerable email addresses can potentially become the root cause of significant cyberattacks on the company.

    Markdown:

    I provided a screenshot of the email to prove that this email domain actually exists because my previous submission was closed as a non-existent email domain. However, this email domain is real and is used by the website for security purposes. Please consider triaging this issue

Activity