Missing Protection Mechanism in Mail Servers allows malicious user to use staff.ratelimited.me email could lead to identity theft.
Discovered by sxw on Ratelimited

This issue took 0 Days and 0 hours to triage and 3 Days and 21 hours to resolve once triaged.



Hello ratelimited,

I'm not really sure how your mail servers being configured but i guess there is a mis-configuration or missing protection mechanism that fails to verify if the email that is going to be sent are only made by authorized ratelimited staff only. From this point of view a malicious user could sent an email to a victim by using valid and email owned by staffs of ratelimited and to be specific one of them are [email protected] and i can surely tell it is based on #369581 wherein a team member acknowledge the hacker that is will be given a reward for efforts.

So what now ?

If a malicious user could use [email protected] to send emails through the abuse of misconfigured mail server with missing protection, they can spread fake message from this point and make the reputation of ratelimited staffs and management bad from others point of view.

POC

I've attack my own email and tries to exploit the issue. Here my gmail account has been received email from [email protected] says that i've received reward from ratelimited. If a normal user would received this email, they will not hesitate to claim the reward thinking that came from and request being done and sent by legitimate staff from ratelimited but it is actually not. {F412930}

How could we verify this ?

Here is the steps to reproduce the issue:

  • I use 3rd party email faker emkei.cz to use spoof email of [email protected].
  • Just compose a normal email and not forget to put email of the victim.
  • Send the email.

Still, who cares or implement mail protections from their servers ?

Hackerone itself is already done this way back years ago. They configured their mail server so whenever a malicious user could use @hackerone.com and tries to send mail using it from distributing messages. Hackerone mail server will prevent this before sending it to desired victim. And so facebook does, In case you want to verify this. Try the steps to reproduce above against the said website and you see the attack will never succeed on *@hackerone.com nor *.facebook.com.

> Don't get me wrong but this attack only made possible by opening ratelimited itself a window for exploitation.

Regards, Mart Gil

Impact

Could distribute fake email content/files using [email protected] or any email used by ratelimited. As a result, ratelimited will have a bad reputation and this can also be use by any counterpart company of ratelimited.