Last year, IT firm Cloudflare launched an email routing service, giving users the ability to set up a large number of addresses connected to the same inbox. Email routing can be a powerful privacy tool, as it allows you to hide your current email address behind a network of temporary or “burnable” addresses. Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read — or even manipulate — other users’ emails.
Albert Pedersen, who is currently a student at Skive College in Midtjylland, wrote that he discovered the invasive vulnerability back in December. In a write-up published to his website by him, Pedersen explained that the bug would have allowed a hacker to “modify the routing configuration of any domain using the service.”
“I’m curious and like to produce things to see if they break. I want to help keep the internet safe,” Pedersen told Gizmodo in a direct message. “I’ve always had an interest in everything computers and IT. I found and reported my first bug back in April of last year, and I’ve spent a lot of time bug hunting since then.”
The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s “zone ownership verification” system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them . Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all.
In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service.
After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program. The program ultimately awarded him a total of $US6,000 ($8,329) for his efforts. Pedersen also says his blog was published with permission from Cloudflare.
In an email to Gizmodo, a company representative reiterated that the bug was fixed immediately after discovery: “As summarized in the researcher’s blog, this vulnerability was disclosed through our bug bounty program. We then resolved the issue and verified that the vulnerability had not been exploited.”
It’s a good thing that it wasn’t, because if a hacker had gotten ahold of this exploit they could’ve caused some real inbox havoc. In his write-up of him, Pederson notes that a cybercriminal could have used this bug to reset passwords, which would have threatened other accounts linked to the exploited email address:
“Not only is this a huge privacy issue, but due to the fact that password reset links are often sent to the email address of the user, a bad actor could also potentially gain control of any accounts linked to that email address. This is a good example of why you should be using 2-factor authentication,” he wrote.
Truth! Use 2-factor authentication! It just goes to show: we need as many nerds watching the internet as possible because you never know when something that sounds great is actually a giant security catastrophe waiting to happen.