Student crashes Cloudflare beta party, redirects email, bags a bug bounty
Simple to exploit, enough to pocket $3,000
A Danish ethical hacker was able to work his way uninvited into a closed Cloudflare beta and found a vulnerability that could have been exploited by a cybercriminal to hijack and steal someone else's email.
Student Albert Pedersen reported the critical vulnerability to Cloudflare via the company's bug bounty program, and was awarded $3,000. He said in a write-up on Wednesday he alerted the internet giant soon after he spotted the vulnerability on December 7. According to a timeline on HackerOne, which manages the bounty program, Cloudflare fixed the flaw within a few days. However, it wasn't until July 28 that the vuln was publicly disclosed, allowing Pedersen to publish his blog post this month.
Cloudflare, which mainly carries out content distribution duties and provides security protection for websites, announced its Email Routing service in September 2021, initially making it available as a private beta program. The service, which in February went into open beta, allows customers to create and manage custom email addresses for their domains and have them redirect their mail to specific addresses.
The first challenge for Pedersen was slipping into this private beta.
"Cloudflare Email Routing was in closed beta back when I discovered this vulnerability, with only a few domains having been granted access," Pedersen wrote. "Sadly, I was not invited to the party, so I was simply going to have to crash it instead."
He got into program by manipulating the data sent from Cloudflare's backend servers to the Cloudflare dashboard open in his browser. He wrote that he used the Burp suite running on his computer "to intercept the response and replace 'beta': false with 'beta': true, which made the dashboard think I had been given access to the beta."
Once in, he set up Email Routing for one of his domains so that email to a custom address at that domain – let's say, firstname.lastname@example.org – was routed to his personal Gmail address.
At this point, his domain was listed in his primary Cloudflare account, verified, and had Email Routing set up and working. By verified, we mean that the domain's DNS records are configured in such a way that the internet giant is satisfied he owned, or at least managed, the domain. The verification is important because without it, you shouldn't be able to enable features for the domain as you may not have the authority to manage the domain.
He then wondered what would happen if he added his domain to his secondary Cloudflare account, where the domain wasn't verified. Surely, it shouldn't be possible to set up Email Routing for it, and redirect email sent to that domain? Surely, he could.
"I assumed either the Cloudflare API would do a server-side check and throw an error telling me to verify the zone, or my rogue configuration simply would not take effect," he told The Register in an email interview. But it didn't throw an error, and it did take effect.
"The latter is how it works now," he added. "You can set up Email Routing on an unverified zone, but the configuration won't take effect until you verify ownership of the domain."
With the unverified domain added to his secondary account, Pedersen switched on Email Routing for it, and configured the original email address he set up, email@example.com, to redirect to an email address that wasn't his personal Gmail. After this, he sent a message to firstname.lastname@example.org and it ended up in the inbox of the rogue destination rather than his Gmail.
In effect, he had hijacked email@example.com by simply adding the domain to another account, unverified, and instructed Cloudflare where it should instead pipe messages for firstname.lastname@example.org.
"I suspect that Cloudflare's mail server only keeps a single record for each address, and that it was simply overwritten when I applied my rogue settings," he blogged.
A criminal exploiting the vulnerability could receive messages sent to a stranger's address by adding that stranger's domain to the attacker's account and forwarding the mail to a rogue destination – if the stranger was already using Cloudflare, the domain was verified, and its Email Routing was configured.
"Not only is this a huge privacy issue, but due to the fact that password reset links are often sent to the email address of the user, a bad actor could also potentially gain control of any accounts linked to that email address," Pedersen wrote, adding that it created a good argument for using two-factor authentication.
He noted that there were around 600 domains using the closed beta service when he noticed the security hole, and all of them could have had their email hijacked if a bad actor had got in and exploited the flaw.
- Cloudflare explains how it managed to break the internet
- Cloudflare network outage disrupts Discord, Shopify
- Cloudflare offers $100,000 for prior art to nuke networking patents a troll has accused it of ripping off
- Cloudflare coughs up a few grand for prior-art torpedoes to sink troll
Cloudflare said in a statement to The Register that after the vulnerability was reported, it resolved the issue and verified that the flaw had not been exploited. Email Routing is still in open beta.
The biz also stressed the importance of bug bounty programs. It has had its own for several years, including a private program created in 2018. In February, Cloudflare announced a paid public program hosted by HackerOne, and listed Pedersen in its top 10 researchers.
Pedersen on his LinkedIn profile describes himself as a "Cloudflare enthusiast." He told The Register he is a Cloudflare Community MVP, which he said is a program volunteer member who makes significant contributions to the community forum and answers other users' questions. He said he uses a range of Cloudflare products for hobby projects; his blog site is hosted on Cloudflare Pages.
Pedersen currently is a student at Skive College in Denmark and while he hasn't decided on what he'll do after he graduates, he likes bug hunting now. He found his first bug in April 2021. ®