.png)
4 months ago
70 BOOK THIS SPACE FOR AD
ARTICLE AD
Introduction
Hey guys, good to have you back on my blog. This is a bug that I found last September, but this vulnerability was a different one. Though not a very severe one, as it was marked as low, believe me, it was a very interesting one as I had a lot of fun after discovering this bug.
So in this vulnerability I was able to send emails to anyone in the world with a real, valid internal email of an ecommerce company. This was a fun experience and I just wanted to share with you all, about this easy to find but interesting bug.
Tip of the blog : Make notes
I’ve adopted a new technique that’s really paying off, and I’d like to share it with you all. What I do is grab a sticky note, place it beside my trackpad, and use it to jot down important points while testing a website.
Let’s get started
So, another day, another bug, another story!!!
Once again, I found myself testing an e-commerce site, which I’ll refer to as “redacted.com”.
Learning from my past newbie’s experience, I made sure to explore all the functionalities the site had to offer and also noted down all those that appeared potentially vulnerable, with the intention of testing them further later on. These included the admin login page, user profiles, the contact us form, and even the supplier portal.
Rediscovering the ‘Contact Us’ Form
After not being able to find any bugs for like few hours, I went back to my notes to review what I had tested and what I might have missed.
That’s when I noticed the ‘Contact Us’ form, which I had completely forgotten about.
So I decided to give it a shot and tested it. Just as I captured the request after filling in all the details, I noticed something out-of-the-box.
There were keys named “to”, “from”, “subject”, “html”!!!!
And yes you guessed it right, I could change their values, and a check was only applied on the “from” param.
So now, I could mail anything to anyone from a mail that belongs to the company I was testing.
And the most interesting thing was that in the “html” all the html tags were working, so I was able to customize the email body however I want, can add links, icons, buttons, anything at all.
So I copy pasted the whole structure of what the real email from that company looks like and added malicious links to it.
Now, just imagine a scenario where you receive an email like this, but it’s from a hacker.
Fascinating but potentially dangerous!!!!!
I created a report and submitted it on HackerOne. After a few hours, I got a reply and the severity was downgraded to low. I had originally marked it as ‘High’, though.
I researched some more and learned about the service they were using to send emails. I discovered some new parameters, most of which were not that interesting, like “cc” and “bcc”. However, I found out that we could also add attachments to the emails.
I added a few more comments to the report, showing them all the possibilities with this vulnerability. In the end, this convinced them to raise the severity to ‘Medium’, which was good enough for me.
Fun Part
Now comes the most fun part of this experience. It felt like I had a lot of power in my hands, which I knew how to use, until the bug was resolved.😈😈😈.
I created a well-structured email, taking care of every minute detail. And this was the result!
Finding this vulnerability was worth my efforts, and I realized this when I sent the email to a friend of mine.😈😈😈
And to satisfy your curiosity about what was inside that assessment link, here is the link
See you in the next blog!😉😉
Bengali (Bangladesh) · 
English (United States) ·