Doppler: email spoofing on doppler.team

2021-01-04T20:33:07
ID H1:1071521
Type hackerone
Reporter ibrahimauwal
Modified 2021-01-04T21:12:36

Description

Summary:

There is an Email Spoofing vulnerability on your domain doppler.team which allows an attacker to send an email with your domain name(such as admin@doppler.team and so on).

Steps To Reproduce:

  1. Go to http://emkei.cz
  2. Fill "From Email" field to admin@doppler.team or any other doppler email.
  3. Fill the victim's address (your email for test purpose) to "TO" field and fill in other details as you wish. You will receive email from doppler admin.

Impact

an attacker can send malicious emails to users on your behalf(using your domain)