Vulnerability Report: Misconfigured SPF [No DMARC Record found]
Whitehat Security
Hi Team,
I am an independent security researcher and I have found a bug in your website https://ontobee.org
The details of it are as follows:-
Description:
This report is about a misconfigured SPF record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations .
About the Issue:
As i seen the SPF and TXT record for
which is:
DMARC Policy Not Enabled
As u can see that you Weak SPF record, as valid record should be like:-
DMARC policy enabled
What's the issue:
As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
Attack Scenario:
An attacker will send phishing mail or anything malicious mail to the victim via mail:
Even if the victim is aware of a phishing attack , he will check the origin email which came from your genuine mail id
ontobee...@googlegroups.com
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-
<?php
$to = "VIC...@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:
";mail($to,$subject,$txt,$headers);
?>
U can also check your SPF record form:
https://mxtoolbox.com/SuperTool.aspx
Reference:
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
Have a look at the digital ocean article for a better understanding!
Waiting for your reply.
Regards,
Whitehat Security
I hope you're doing well. I wanted to follow up on the vulnerability I reported. I understand that security assessments and fixes take time, and I truly appreciate your team's efforts in addressing these issues.
Please confirm your interest if you are willing to fix the issue to avoid further follow-ups. If you have already fixed the issue, please let us know, and we will proceed with retesting.
As a security researcher, I responsibly reported this vulnerability to help secure your platform. In recognition of my efforts, I expect a reward, which can be sent via PayPal or bank transfer. I would appreciate an update on this discussion as well.
Looking forward to your response.
Best regards
Whitehat Security
I’m following up once more regarding the vulnerability report. We’re happy to know you’ve received it and that it’s contributing to your security improvements.
As mentioned earlier, we would also appreciate a reward for the vuln, granted purely at your discretion. This doesn’t require a bug bounty program — it’s simply a way to acknowledge the effort put into reporting it ethically.
Thank you for your time and acknowledgment.
Best regards
Whitehat Security
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards