Udemy: Misconfigured SPF Record Flag

ID H1:60260
Type hackerone
Reporter geekboy
Modified 2016-02-22T23:57:14


Hello Team ,

Description :

this report is about misconfigured spf record flag , which can be use to abuse the organization by posing the identity , which allowing to fake mailing on behalf of respected organization .

About the Issue :

as i seen the SPF and TXT record for the Udemy.com which is : ```` v=spf1 include:_spf.google.com include:smtp1.uservoice.com include:mktomail.com ~all `````` as u can see the symbol at last which Tilde (~all) is the issue , which should be replace by Hyphen (-all) symbol .

so valid record will be look like : ` v=spf1 include:_spf.google.com include:smtp1.uservoice.com include:mktomail.com -all

Whats the issue :

as u can see in the article difference between softmail and fail you should be using fail as Softmail allows anyone to send spoofed emails from your domains. in current SPF record you should replace ~ with - at last before all , - is strict which prevents all spoofed emails except if you are sending .

Attack Scenario :

an attacker will send phishing mail or anything malicious mail to the victim via mail : security@Udemy.com , even if the victim is aware of phishing attack , he will check the Origin email which will be security@Udemy.com , so he will be sure that its not fake mail and get trapped by attacker !

This can be done using any php mailer tool like this , <?php $to = "VICTIM@example.com"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: security@Udemy.com"; mail($to,$subject,$txt,$headers); ?>

u can check your SPF record form here : http://www.kitterman.com/spf/validate.html !

Reference : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability

have a look on the digitalocean article for the better understanding !

Please let me know if any more info needed !

Thank You Geekboy :)