Student Found Bug in Cloudflare Email Routing Closed Beta
Danish Skive College student Albert Pedersen managed to break into the closed beta of Cloudflare Email Routing (without an invitation) and discovered a bug that attackers could use to hijack and steal someone else’s email. Pedersen ended up getting $6,000 from Cloudflare through a bug bounty program.
Let me remind you that we wrote that Cloudflare Coped With The Most Powerful DDoS Attack to Date, and also that Developers Can’t Fix a Serious Vulnerability in OpenSSL.
Albert Pedersen
In an article published earlier this week, Pedersen revealed that he alerted Cloudflare to the problem via HackerOne as early as December 7, 2021. According to him, the company eliminated the bug within a few days, but the error was not made public until July 28, 2022, after which Pedersen finally got the opportunity to publish his own report on what happened.
As a reminder, Cloudflare developers introduced their own Email Routing service in the fall of 2021, making it available only as a closed beta. The service, which went into public testing in February this year, allows customers to create and manage email addresses for their domains and forward mail to specific mailboxes.
Pedersen writes that the first test for him was the very penetration into the closed beta:
The researcher ended up infiltrating the beta by manipulating data sent by Cloudflare’s backend servers to the Cloudflare dashboard opened in his browser. He writes that he simply used Burp to intercept the response and replace ‘beta’: false with ‘beta’: true, which caused the control panel to think that he had access to the beta version.
After that, he set up Email Routing for one of his domains so that mail from a custom address in that domain (for example, albert@example.com) would be routed to his personal Gmail address.
At that point, his domain was linked to his main Cloudflare account, verified, and Email Routing was set up and working as it should. It’s worth noting that verification means that the domain’s DNS records have been configured in such a way that Cloudflare knows that it is Pedersen who owns, or at least controls, this domain.
The researcher then wondered what would happen if he added his domain to another Cloudflare account where that domain was unverified. He was sure that it would be impossible to set up Email Routing for him and forward the email. However, everything worked out.
When the unverified domain was added to the sub account, Pedersen enabled Email Routing for it and configured the original email address (albert@example.com) to be redirected to another email address (which was no longer his personal Gmail box). He then sent a message to albert@example.com, and it ended up in the fraudulent recipient’s inbox instead of their personal Gmail box.
Essentially, the researcher took over albert@example.com by simply adding the domain to another account and instructed Cloudflare where to relay messages for albert@example.com.
You can now set up Email Routing in an unverified zone, however the configuration will not take effect until the domain has been verified.says Pedersen, who elaborates that in the end he did not see an error, and everything worked.
Essentially, an attacker exploiting this vulnerability could receive messages sent to a stranger’s address simply by adding that stranger’s domain to their account and forwarding the mail to the desired address. However, this only worked if the stranger was already using Cloudflare, his domain was verified, and Email Routing was set up.
The researcher says that at the time of the closed beta Email Routing used about 600 domains, and all their email could be compromised if some hacker took advantage of the vulnerability.
Representatives of Cloudflare told The Register that the attackers did not have time to take advantage of the problem, and Email Routing is still in beta, only now it is open. The company also emphasized that the bug discovered by Pedersen is another proof of the usefulness and necessity of bug bounty programs.
