SMPT Protection not used, I can hijack your email server.

ID H1:34112
Type hackerone
Reporter ashesh
Modified 2015-08-13T13:36:19



Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy (combining SPF, DKIM, and DMARC) but I don't see taht from , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached.

Exploit scenario:

An attacker would send a Fake email from saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his id and password (SESSION COOKIE). The results can be more dangerous.

Code to Exploit:

$to = "";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:";

You should do the fix (see the fix below) To prevent misunderstanding and to protect your users.


Replace ?all with -all to prevent fake email.

Your's record: v=spf1 ?all

It should be v=spf1 -all



SPF record lookup and validation for:

SPF records are published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 ?all

Checking to see if there is a valid SPF record.

Found v=spf1 record for 
v=spf1 ?all <---------- this is your mistake