btkostner
commented
6 years ago spf records changed and email domain key signing soon to be setup. Thank you for the information!
Closed shubhack319 closed 6 years ago
btkostner
commented
6 years ago spf records changed and email domain key signing soon to be setup. Thank you for the information!
shubhack319
commented
6 years ago Caln i get some reward or appreciation.
On Mon 14 May, 2018, 1:49 AM Blake Kostner, notifications@github.com wrote:
Closed #1957 https://github.com/elementary/website/issues/1957.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/elementary/website/issues/1957#event-1623687839, or mute the thread https://github.com/notifications/unsubscribe-auth/AlbYkczdGbw2YjG1NwsQUwYdympKQNu_ks5tyJVLgaJpZM4T87Fp .
danirabbit
commented
6 years ago @shubhack319 Thank for very much for reporting this issue! Unfortunately we don’t have any sort of bounty program in place for reporting issues at this time.
shubhack319
commented
6 years ago So can i get some swag or gift or certificate for appreciating my work.
On Mon 14 May, 2018, 11:02 PM Daniel Foré, notifications@github.com wrote:
@shubhack319 https://github.com/shubhack319 Thank for very much for reporting this issue! Unfortunately we don’t have any sort of bounty program in place for reporting issues at this time.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/elementary/website/issues/1957#issuecomment-388899216, or mute the thread https://github.com/notifications/unsubscribe-auth/AlbYkTfu0xphSw9yT37yj427ZUMvkhHCks5tyb-bgaJpZM4T87Fp .
shubhack319
commented
5 years ago Any update
On Mon 14 May, 2018, 11:04 PM shubham maheshwari, shubhack319@gmail.com wrote:
So can i get some swag or gift or certificate for appreciating my work.
On Mon 14 May, 2018, 11:02 PM Daniel Foré, notifications@github.com wrote:
@shubhack319 https://github.com/shubhack319 Thank for very much for reporting this issue! Unfortunately we don’t have any sort of bounty program in place for reporting issues at this time.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/elementary/website/issues/1957#issuecomment-388899216, or mute the thread https://github.com/notifications/unsubscribe-auth/AlbYkTfu0xphSw9yT37yj427ZUMvkhHCks5tyb-bgaJpZM4T87Fp .
cassidyjames
commented
5 years ago @shubhack319 I'm following up via email
Vulnerability name : Incorrect Mechanism used for SPF record on domain leading to email spoofing
Vulnerability Description :
SPF/TXT Records
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
One can check SPF records of a domain : There Are Various Ways of Checking Missing SPF Records on a website But the Most Common and Popular way is kitterman.com
Impact :
By Not having valid spf records for a domain , an attacker can use that domain as mail id domain and can easily send mails to users from behalf of the domain and user can be tricked easily. With high social engineering skill , an attacker can be able to manipulate user in providing some sensitive information.
Vulnerable domain :
elementary.io
Attack scenario :
1-> First attacker checks the spf record for the domain and if invalid spf record found , then he can do attack.
2-> After checking , an attacker can visit sites like https://emkei.cz/ , https://anonymousemail.me/mobile/ to craft a anonymous mail on behalf of the domain email like from " support@elementary.io".
3-> By this attacker was able to phish user very trustfully using domain email .
POC :
Screenshots are attched :
Invalid spf record screenshot is attached.
fake email generator (https://anonymousemail.me/mobile/)
Fake mail received in my gmail account.
Note :
Some site will say you have valid spf record it is due to mechanism you have deployed. It seems that you have implemented a neutral mechanism / qualifier , which generally denotes that spf record is either pass or fail . if i was able to do email spoofing that means it was fail but not detected in spf testing because neutral denotes either pass or fail .
Remediation:
So you should deploy your spf record with some other qualifier like ‘ ~ ‘ , etc.
For more info refer : https://postmarkapp.com/blog/explaining-spf http://www.openspf.org/SPF_Record_Syntax