Report #34284

Report Date

August 8, 2024

Status

Closed

Payout

Persistent content spoofing / text injection issues/ due to Misconfiguration

‣

Report Info

Report ID

#34284

Report type

Websites and Applications

Has PoC?

Yes

Target

https://basin.exchange

Impacts

Persistent content spoofing / text injection issues
Email Deliverability Issues: Legitimate emails may be marked as spam or rejected by receiving mail servers. Security Risks: Increased risk of email spoofing and phishing attacks, potentially leading to loss of reputation, data breaches, or financial loss.

Description

Hi Team,

Hope all is well. please find details of subject report as follows:-

There is a misconfiguration in SPF record for basin.exchange which shows multiple SPF records and is incorrectly configured and is leading to security vulnerabilities specifically email spoofing using official emails and this domain has two SPF records i.e.

Misconfigurations

(a) v=spf1 -all

This record indicates that no mail should be sent from this domain.

(b) v=spf1 include:spf.efwd.registrar-servers.com -all This record includes the SPF settings from spf.efwd.registrar-servers.com and then specifies that no other mail should be sent.

DNS Response:

DNS query for basin.exchange returns multiple SPF records, which is against SPF specification (RFC 4408). Only one SPF record should be present for a domain. Presence of multiple records can lead to ambiguous interpretation by receiving mail servers, potentially causing legitimate emails to be marked as spam or rejected.

SPF Record Retrieval:

Authoritative DNS server for basin.exchange is carlos.ns.cloudflare.com and dina.ns.cloudflare.com.

Response from carlos.ns.cloudflare.com includes three TXT records: 6156eb38-8284-40da-b32e-bf544236577a=59b36881a8e91818d8b531f7114cb671f03af32786fefbe57efc8641f7bcf026 v=spf1 -all v=spf1 include:spf.efwd.registrar-servers.com -all

POC: Session Transcript

TXT:basin.exchange

1 v0n0.nic.exchange 65.22.28.14 NON-AUTH 25 ms Received 2 Referrals , rcode=NO_ERROR basin.exchange. 3600 IN NS carlos.ns.cloudflare.com, basin.exchange. 3600 IN NS dina.ns.cloudflare.com,

2 carlos.ns.cloudflare.com 108.162.195.112 AUTH 0 ms Received 3 Answers , rcode=NO_ERROR basin.exchange. 300 IN TXT 6156eb38-8284-40da-b32e-bf544236577a=59b36881a8e91818d8b531f7114cb671f03af32786fefbe57efc8641f7bcf026, basin.exchange. 300 IN TXT v=spf1 -all, basin.exchange. 300 IN TXT v=spf1 include:spf.efwd.registrar-servers.com -all, Record returned is an RFC 4408 TXT record. Record returned is an RFC 4408 TXT record. MAIL FROM: RETURN-PATH:

Ranges
Subqueries
Results

TXT:basin.exchange = Fail LookupServer 292ms

Exploit/ Proof of Concept

SPF Record for the domain basin.exchange contains multiple SPF records, which violates RFC specification. This misconfiguration can lead to ambiguous interpretations by receiving mail servers, causing legitimate emails to be marked as spam or rejected, and may also facilitate email spoofing.

Lets Exploit Content Spoofing

Attacker crafts an email using SPF record bypassing the restrictive -all policy in the other record.

(1) Attacker Goes to https://emkei.cz/ Fill form using official email of your domain and aim to target victim

(2) Victim receives email from your official domain and content spoofing successful

This works on outlook as well

Recommendations:

(1) Consolidate SPF Records: Only one SPF record should be present for basin.exchange. The domain owner should merge the necessary mechanisms and directives into a single SPF record.

Example: v=spf1 include:spf.efwd.registrar-servers.com -all

Or, if no mail should be sent from this domain:

    v=spf1 -all

By addressing these issues, the domain can ensure better email deliverability and enhanced protection against email spoofing and phishing attacks.

Proof of concept

Attacker crafts an email using SPF record bypassing the restrictive -all policy in the other record.

(1) Attacker Goes to https://emkei.cz/ Fill form using official email of your domain and aim to target victim

(2) Victim receives email from your official domain and content spoofing successful

This works on outlook as well

Immunefi Response

We have reviewed your report and regret to inform you that we will have to close it due to inadequate proof of concept (PoC).
Immunefi review:
assessed impact by the triage team is not in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
The submitted PoC does not correspond to the selected impact.
Technical Review:
We do not accept SPF issues and the selected impact isn't demonstrated in the PoC.
To ensure the proper escalation and evaluation of your report, Immunefi has checked the PoC to see if it matches the assessed impact and bug description, as well as verified the accuracy of your claims.
Please note that the project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.

Persistent content spoofing / text injection issues/ due to Misconfiguration

‣

Report Info

Report ID

#34284

Report type

Websites and Applications

Has PoC?

Yes

Target

https://basin.exchange

Impacts

Persistent content spoofing / text injection issues
Email Deliverability Issues: Legitimate emails may be marked as spam or rejected by receiving mail servers. Security Risks: Increased risk of email spoofing and phishing attacks, potentially leading to loss of reputation, data breaches, or financial loss.

Description

Hi Team,

Hope all is well. please find details of subject report as follows:-

Misconfigurations

(a) v=spf1 -all

This record indicates that no mail should be sent from this domain.

(b) v=spf1 include:spf.efwd.registrar-servers.com -all This record includes the SPF settings from spf.efwd.registrar-servers.com and then specifies that no other mail should be sent.

DNS Response:

SPF Record Retrieval:

Authoritative DNS server for basin.exchange is carlos.ns.cloudflare.com and dina.ns.cloudflare.com.

POC: Session Transcript

TXT:basin.exchange

1 v0n0.nic.exchange 65.22.28.14 NON-AUTH 25 ms Received 2 Referrals , rcode=NO_ERROR basin.exchange. 3600 IN NS carlos.ns.cloudflare.com, basin.exchange. 3600 IN NS dina.ns.cloudflare.com,

Ranges
Subqueries
Results

TXT:basin.exchange = Fail LookupServer 292ms

Exploit/ Proof of Concept

Lets Exploit Content Spoofing

Attacker crafts an email using SPF record bypassing the restrictive -all policy in the other record.

(1) Attacker Goes to https://emkei.cz/ Fill form using official email of your domain and aim to target victim

(2) Victim receives email from your official domain and content spoofing successful

This works on outlook as well

Recommendations:

(1) Consolidate SPF Records: Only one SPF record should be present for basin.exchange. The domain owner should merge the necessary mechanisms and directives into a single SPF record.

Example: v=spf1 include:spf.efwd.registrar-servers.com -all

Or, if no mail should be sent from this domain:

    v=spf1 -all

By addressing these issues, the domain can ensure better email deliverability and enhanced protection against email spoofing and phishing attacks.

Proof of concept

Attacker crafts an email using SPF record bypassing the restrictive -all policy in the other record.

(1) Attacker Goes to https://emkei.cz/ Fill form using official email of your domain and aim to target victim

(2) Victim receives email from your official domain and content spoofing successful

This works on outlook as well

Immunefi Response

We have reviewed your report and regret to inform you that we will have to close it due to inadequate proof of concept (PoC).

Immunefi review:

assessed impact by the triage team is not in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
The submitted PoC does not correspond to the selected impact.
Technical Review:
We do not accept SPF issues and the selected impact isn't demonstrated in the PoC.

To ensure the proper escalation and evaluation of your report, Immunefi has checked the PoC to see if it matches the assessed impact and bug description, as well as verified the accuracy of your claims.

Please note that the project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.