Summary
This post will cover an interesting logic flaw found in a private bug bounty program. Whilst the name of this company will be known as [REDACTED], the purpose of this post is to demonstrate how we can turn a feature into a bug. The feature in question allows users to send and receive emails in a secure manor but by checking a few response headers the integrity of the application is broken. Here's the report submitted via Hackerone albeit slightly redacted..
Report
The [REDACTED] product has an end point /rest/users/preauth which is used to validate whether a user has access to a certain object before redirecting them to a login page.
The issue is that this logic can be used against [REDACTED] to work out who an email was sent to. This itself may not be a huge worry but I am able to disclose whether a user is within the BCC field, without authentication - this would be a privacy issue and goes against concept of a blind carbon copy.
Steps To Reproduce
Lets say my business decides to use [REDACTED] as a product, we have 8 members of staff who's emails are as follows:
- ashleyking@wearehackerone.com
- ashleyking+original@wearehackerone.com
- ashleyking+bcc@wearehackerone.com
- ashleyking+user1@wearehackerone.com
- ashleyking+user2@wearehackerone.com
- ashleyking+user3@wearehackerone.com
- ashleyking+user4@wearehackerone.com
- ashleyking+user5@wearehackerone.com
- User
ashleyking@wearehackerone.comsends an email toashleyking+original@wearehackerone.comand BCC'sashleyking+bcc@wearehackerone.com. - Both of the recipients receive an email - only
ashleyking+original@wearehackerone.comis visible in the message headers ashleyking+original@wearehackerone.comcan now use the Intruder feature of Burp Suite to see if any of their colleagues were BCC'd into the email.
Step 1
Create a new request in the Intruder tab, set the target to be hackerone.bounty.[redact].net and Port 443 (use HTTPS)
Step 2
Create the request in the positions tab. Where w= is followed by the ID of the email. You can find this in the link that was sent via the email.
We also need to include the header X-[redact]-Version with a value of [redact]
Step 3
Add your known list of users within the business to the `Payloads` tab. (encode the `+` symbol if necessary)
Step 4
Start the attack. For this particular example we will see the following output:
- If we see a response status of 200 we can confirm that the user is a recipient of the email
- if we see a response status of 403 we can confirm that the user is NOT a recipient of the email.
Impact
A user is able to validate whether any of their colleagues has been BCC'd into any email they receive. This defeats the original purpose of a blind carbon copy and breaks the integrity of the email sent from [REACTED].
This business logic issue was worth $750
Follow @AshleyKingUK