This post will cover an interesting logic flaw found in a private bug bounty program. Whilst the name of this company will be known as [REDACTED], the purpose of this post is to demonstrate how we can turn a feature into a bug. The feature in question allows users to send and receive emails in a secure manor but by checking a few response headers the integrity of the application is broken. Here's the report submitted via Hackerone albeit slightly redacted..
The [REDACTED] product has an end point
/rest/users/preauth which is used to validate whether a user has access to a certain object before redirecting them to a login page.
The issue is that this logic can be used against [REDACTED] to work out who an email was sent to. This itself may not be a huge worry but I am able to disclose whether a user is within the BCC field, without authentication - this would be a privacy issue and goes against concept of a blind carbon copy.
Steps To Reproduce
Lets say my business decides to use [REDACTED] as a product, we have 8 members of staff who's emails are as follows:
firstname.lastname@example.org an email to
- Both of the recipients receive an email - only
email@example.com visible in the message headers
firstname.lastname@example.org now use the Intruder feature of Burp Suite to see if any of their colleagues were BCC'd into the email.
Create a new request in the Intruder tab, set the target to be
hackerone.bounty.[redact].net and Port
443 (use HTTPS)
Create the request in the positions tab. Where
w= is followed by the ID of the email. You can find this in the link that was sent via the email.
We also need to include the header
X-[redact]-Version with a value of
Add your known list of users within the business to the `Payloads` tab. (encode the `+` symbol if necessary)
Start the attack. For this particular example we will see the following output:
- If we see a response status of 200 we can confirm that the user is a recipient of the email
- if we see a response status of 403 we can confirm that the user is NOT a recipient of the email.
A user is able to validate whether any of their colleagues has been BCC'd into any email they receive. This defeats the original purpose of a blind carbon copy and breaks the integrity of the email sent from [REACTED].
This business logic issue was worth $750