Easy Bug | Email Spoofing
Overview of the Vulnerability:
A Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are security controls used by email domains to prevent spoofing. Domain-based Message Authentication (DMARC) uses both SPF and DKIM to reject or quarantine emails sent from domains. A missing DMARC on this domain enables an attacker to spoof the name of a domain and send emails on behalf of the domain.
I discovered this bug in many programs but in different ways and I will explain two ways
Steps to Reproduce (First way):
- Make sure the domain/subdomain is being used to send email, you can do this in several ways, but I prefer a very quick way, which is using “Hunter — Email Finder Extension”, which is a useful extension. “https://chromewebstore.google.com/detail/hunter-email-finder-exten/hgmhmanijnjhaffoampdlllchpolkdnj”
2. You can detect errors in the records in two ways:
First: just run this command at terminal
dig TXT [example.com]If you do not see the result of “SPF” record, there must be a problem and you can also test the “DMARC”.
dig TXT [_dmarc.example.com]“There may be errors in the past records or they may have been forgotten in the first place, so I advise you to read more about these records and how they work.”
You can also test the second method from here: “https://mxtoolbox.com/SuperTool.aspx?action=mx:[example.com]”
Steps to Reproduce (Second way):
If the site sends emails whether when creating an account or changing the password or the newsletter, make sure first that the domain [for mail sender] is within their scope and then test it because many times some of them are forgotten.
Impact:
The most simple impact is that if there is no spoofing protection on target website, attacker can impersonate as company and send emails to users from their email. Now this could lead to many bad things like account takeover, or in case of e-banking website, capturing funds of victims, etc like that, which will degrade the reputation of the company.
