Bug Bounty Show at BSides Ahmedabad 2022 feat. Sayaan Alam

so good morning everyone hope you are all are having a great time here so I was I just want to know like how many of you are doing the bug bountier okay very nice people okay so as you already know like for the very first time we are doing the bug Bounty show where the bug bounty hunters will uh will explain the mythologist to crack the most unique bugs Okay so without wasting time we can go ahead with our first first talk okay I would like to welcome Sayan Alam to present his talk on playing with fake emails for Fun and Profit can we have a round of applause for sayam hi good morning everyone thank you so much for having me here it's my first ever talk in my whole life so I am very excited and a little bit nervous so today I am going to talk about my recent finding with Dropbox where I played with email server and got a bounty of five thousand dollars for sending a fake email so let's start first let me talk about myself I am a student and part-time bug Bounty Hunter I am cyanide grad team member and Microsoft most valuable hacker I wrote my Vlog at medium so let's start I found and I found a vulnerability that allowed me to send fax from any account on halofax so uh hello fax allows everyone to send facts directly from their email account by sending it email at fax number at halofax.com when application server receives a fake email it it considers it as an authentic email and sends a fax from victims elofax account so here the functionality on a Dropbox article where it's showing how we can send effects through email so we have to send a email to a fax number at halofax.com from our email registered email address so what I did is I sent a fake email from using a fake email service to a fax number at halofax.com so when I send that email application did not check for authenticity authenticity of that email that was a fake email but application sent a fax from victim's email I put victims email into from field so when I send uh email a fake email application did not check it was a fake email and sent fax from victim's account so that allowed me a partial account takeover and a complete takeover of that functionality that allowed me to send fax from anyone's account many government agencies used that service on hello fax to on their official account number official phone numbers so that allowed me to send fax from any account uh what now the Dropbox team applied a fix on this that they applied dkim and SPF check on every email sent so this this type of vulnerability is mostly considered less less in impactful many many programs closed and as informative but in my case I have a very broad impact where I was able to compromise anyone's account I was able to send fax from any account so this allowed me a partial account takeout so Dropbox team uh awarded me a five thousand dollar Bounty for this bug and they applied a fix where they check uh check where they applied a check for a dkim and SPF check and now here we have a different exploitation scenarios I found this bug on Microsoft bug reporting portal where I was able to create report on anyone's account I was able to send email to a fake email to Microsoft bug reporting email and then that fake email created a bug report on on a on users account on victims account on the account that I put in from field in my fake email and other other bug I found his own Amazon Kindle where I was able to bypass uh bypass the email restriction of owner and I was able to add a book on anyone's Kindle account so I just uh I just edited the from field in as a two victim's email and sent a PDF and that PDF added as a book on Amazon Kindle account of the victim so this thing can be exploited on support panels as well where we can put a victim's email in from field of that fake email and send email to support email and that that thing creates a ticket on victim's email this thing can be used to trigger uh trick support employee thinking that email has been sent from a legitimate user we can use this thing to use as a employee email to you send in internal ticket tracker where it can trigger a high level phishing attack here I have a video POC of the bug on how it did work on halofax so here I am sending a fake email to drobo hello fax email by putting a victim's email in from field in in from email field this is a victim's email address and in two email into fill there is a fax number and at hello fax.com that is a protocol of sending email of uh directly from email here I sent a fake email by putting victim's email in from field and we can see on hello fax there's a effect sent this is a victim account logged in here and FX has been sent to the number we put there we didn't know to interact anywhere with the account and we just put the victim's email in from field and the facts real fax has been sent from victims account so this is how this bug works we can send effects from anyone's account so to prevent this Dropbox has added additional dkim and SPF check on this so that was it and thank you so much for having me here again [Applause]