MrDottt
commented
2 years ago Hi @wakawakathedev
Would you please let me know an update? It's been more than 40 days since I have reported that vulnerability.
Thank you Have a nice day.
Closed MrDottt closed 1 year ago
MrDottt
commented
2 years ago Hi @wakawakathedev
Would you please let me know an update? It's been more than 40 days since I have reported that vulnerability.
Thank you Have a nice day.
wakawakathedev
commented
2 years ago Hi @MrDottt I don't believe we use an email signup anymore for the website, so will have to check if this is still applicable.
There's another issue (for doing email) but need to link it
wakawakathedev
commented
2 years ago MrDottt
commented
2 years ago Any update?
wakawakathedev
commented
2 years ago @MrDottt we don't use emails in the website - I've escalated this to whoever maintains/owns the domain
Hi There is another Email Server misconfiguration which is No valid SPF record Vulnerable Domain: https://thenewboston.com Vulnerability: No Valid SPF Records
Description: There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.
Step to reproduce: SPF record lookup and validation
Now the attacker can target some users - by sending some fake offers money bonus to claim the BTC or reward add PayPal card to following phishing site, or others trap what an attacker want, which can be harmful to users, so it needs to fix.
The attacker can easily send fake mail from the official @thenewboston.com thenewboston.com mail address https://emkei.cz/?reCAPTCHAv2 Impact: An attacker can send Fake mails to the thenewboston.com users. The results can be more dangerous.
Remediation: Replace ~all with -all to prevent fake email.
Reference: https://hackerone.com/reports/629087 https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
Thank you.