Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Student Found Bug in Cloudflare Email Routing Closed Beta

Now Reading
Student Found Bug in Cloudflare Email Routing Closed Beta

Danish Skive College student Albert Pedersen managed to break into the closed beta of Cloudflare Email Routing (without an invitation) and discovered a bug that attackers could use to hijack and steal someone else’s email. Pedersen ended up getting $6,000 from Cloudflare through a bug bounty program.

Let me remind you that we wrote that Cloudflare Coped With The Most Powerful DDoS Attack to Date, and also that Developers Can’t Fix a Serious Vulnerability in OpenSSL.

Albert Pedersen

Albert Pedersen

In an article published earlier this week, Pedersen revealed that he alerted Cloudflare to the problem via HackerOne as early as December 7, 2021. According to him, the company eliminated the bug within a few days, but the error was not made public until July 28, 2022, after which Pedersen finally got the opportunity to publish his own report on what happened.

As a reminder, Cloudflare developers introduced their own Email Routing service in the fall of 2021, making it available only as a closed beta. The service, which went into public testing in February this year, allows customers to create and manage email addresses for their domains and forward mail to specific mailboxes.

Pedersen writes that the first test for him was the very penetration into the closed beta:

When I discovered this vulnerability, Cloudflare Email Routing was still in closed beta and only a few domains were granted access. Unfortunately, I wasn’t invited to that party, so I just had to break in.said clinic representatives

The researcher ended up infiltrating the beta by manipulating data sent by Cloudflare’s backend servers to the Cloudflare dashboard opened in his browser. He writes that he simply used Burp to intercept the response and replace ‘beta’: false with ‘beta’: true, which caused the control panel to think that he had access to the beta version.

After that, he set up Email Routing for one of his domains so that mail from a custom address in that domain (for example, albert@example.com) would be routed to his personal Gmail address.

At that point, his domain was linked to his main Cloudflare account, verified, and Email Routing was set up and working as it should. It’s worth noting that verification means that the domain’s DNS records have been configured in such a way that Cloudflare knows that it is Pedersen who owns, or at least controls, this domain.

The researcher then wondered what would happen if he added his domain to another Cloudflare account where that domain was unverified. He was sure that it would be impossible to set up Email Routing for him and forward the email. However, everything worked out.

When the unverified domain was added to the sub account, Pedersen enabled Email Routing for it and configured the original email address (albert@example.com) to be redirected to another email address (which was no longer his personal Gmail box). He then sent a message to albert@example.com, and it ended up in the fraudulent recipient’s inbox instead of their personal Gmail box.

Essentially, the researcher took over albert@example.com by simply adding the domain to another account and instructed Cloudflare where to relay messages for albert@example.com.

I assumed that either the Cloudflare API would perform server-side validation and throw an error telling me to verify the zone, or my rogue configuration would simply not work. I suspect that the Cloudflare mail server only keeps one entry for each address, and it was simply overwritten when I applied my fraudulent settings.

You can now set up Email Routing in an unverified zone, however the configuration will not take effect until the domain has been verified.says Pedersen, who elaborates that in the end he did not see an error, and everything worked.

Essentially, an attacker exploiting this vulnerability could receive messages sent to a stranger’s address simply by adding that stranger’s domain to their account and forwarding the mail to the desired address. However, this only worked if the stranger was already using Cloudflare, his domain was verified, and Email Routing was set up.

This is not just a serious privacy issue. Because password reset links are often sent to the user’s email address, attackers could potentially gain control of any accounts associated with that email address.Pedersen notes, adding that this is a good argument in favor of using two-factor authentication.

The researcher says that at the time of the closed beta Email Routing used about 600 domains, and all their email could be compromised if some hacker took advantage of the vulnerability.

Representatives of Cloudflare told The Register that the attackers did not have time to take advantage of the problem, and Email Routing is still in beta, only now it is open. The company also emphasized that the bug discovered by Pedersen is another proof of the usefulness and necessity of bug bounty programs.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response