Last year, the IT company Cloudflare launched an email routing service, which gives users the ability to configure a large number of addresses connected to the same inbox. Email routing can be a powerful privacy tool as it allows you to hide your real email address behind a network of temporary or “writable” addresses. Unfortunately, as demonstrated in research published Wednesday by a university student in Denmark, Cloudflare’s service had a giant bug. The flaw, when properly exploited, allowed any user to read, or even manipulate, other users’ emails.
Albert Pedersen, who is currently a student at Skive College in Midtjylland, wrote that he discovered the invasive vulnerability in December. In a writing posted on his website, Pedersen explained that the bug would have allowed a hacker to “modify the routing settings of any domain using the service.”
“I’m curious and I like to look at things to see if they break. I want to help keep the internet safe,” Pedersen told Gizmodo in a direct message. “I’ve always had an interest in all things computing and computing. I found and reported my first bug in April of ‘last year, and since then I’ve spent a lot of time looking for bugs.”
The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s “zone ownership verification” system, meaning it was possible for a hacker to reconfigure routing and email forwarding for email domains that were not owned by him. . Proper manipulation of the exploit would have allowed someone who knew about the bug to redirect users’ emails to their own address. It would also have allowed a hacker to prevent certain emails from being sent to the target.
In his write-up, Pedersen notes that it’s not that hard to find online lists of email addresses attached to Cloudflare’s service. With one of these lists, a bad guy could have easily targeted anyone using the forwarding service.
After discovering the exploit, Pedersen managed to reproduce it multiple times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program. The show eventually awarded him a total of $US6,000 ($8,329) for his efforts. Pedersen also says his blog was published with Cloudflare’s permission.
In an email to Gizmodo, a company representative reiterated that the bug was fixed immediately after discovery: “As summarized in the researcher’s blog, this vulnerability was disclosed through our bounty program of errors. We then resolved the issue and verified that the vulnerability was not exploited.”
It’s a good thing it wasn’t, because if a hacker got hold of this exploit it could have wreaked havoc on your inbox. In his writing, Pederson notes that a cybercriminal could have used this bug to reset passwords, which would have threatened other accounts linked to the exploited email address:
“Not only is this a huge privacy issue, but because password reset links are often sent to the user’s email address, a bad actor could also win the control of any account linked to that email address. This is a good example of why you should use 2-factor authentication,” he wrote.
true! Use 2-factor authentication! It just goes to show: We need as many nerds watching the internet as possible because you never know when something that sounds cool is actually a giant security catastrophe waiting to happen.