I'm not really sure how your mail servers being configured but i guess there is a mis-configuration or missing protection mechanism that fails to verify if the email that is going to be sent are only made by authorized ratelimited staff only. From this point of view a malicious user could sent an email to a victim by using valid and email owned by staffs of ratelimited and to be specific one of them are
email@example.com and i can surely tell it is based on #369581 wherein a team member acknowledge the hacker that is will be given a reward for efforts.
If a malicious user could use
firstname.lastname@example.org to send emails through the abuse of misconfigured mail server with missing protection, they can spread fake message from this point and make the reputation of ratelimited staffs and management bad from others point of view.
I've attack my own email and tries to exploit the issue.
Here my gmail account has been received email from
email@example.com says that i've received reward from ratelimited. If a normal user would received this email, they will not hesitate to claim the reward thinking that came from and request being done and sent by legitimate staff from ratelimited but it is actually not.
Here is the steps to reproduce the issue:
- I use 3rd party email faker
emkei.cz to use spoof email of
- Just compose a normal email and not forget to put email of the victim.
- Send the email.
Hackerone itself is already done this way back years ago. They configured their mail server so whenever a malicious user could use @hackerone.com and tries to send mail using it from distributing messages. Hackerone mail server will prevent this before sending it to desired victim. And so facebook does, In case you want to verify this. Try the steps to reproduce above against the said website and you see the attack will never succeed on
> Don't get me wrong but this attack only made possible by opening ratelimited itself a window for exploitation.
Regards, Mart Gil
Could distribute fake email content/files using
firstname.lastname@example.org or any email used by ratelimited. As a result, ratelimited will have a bad reputation and this can also be use by any counterpart company of ratelimited.