We know that Fastmail.fm has started a Bug Bounty Program for White-Hat Hackers to make them-self a secured from black-hat hackers but today when i tried to exploit their web-site with some advance methods , i was successfully able to exploit their website by API Injection.
The bug was , i can send email from fastmail by using any email address such as admin@fastmail.fm , administrator@fasmail.fm or any email address.
When i emailed them the complete process with a video reference that how it could be exploited and showed them the complete process and proof of concept , they refused me to give me bug bounty reward which was 2000$ and not only this they also refused to list me in Hall of Fame.
They said that this is not a bug and this is a design of their email service , thats how it work and they wont consider this as a bug. I was shocked !!! yes i was shocked to know that for them API Injection is not a bug ? i dont know what type of cyber security experts dose Fastmail have , who dont even even know what is API injection.
Here is one of the email which they replied me earlier.
Wait , Mr.Rob Nile i will show the world how dangerous it is ! dont worry about it world will let you know if it was a bug / vulnerability or not because today i am going to public this exploit.
Before we start , i am telling you that Mr.Rob has told me that he could take action against anyone who dose this illegally and for spaming and all that stuff for wrong use so i am also giving you a warning that dont do anything wrong after reading this because you could face a real trouble and i am not responsible for any of your act done after reading this exploit from my blog or third party blog.
First of all i created an account on fastmail.fm after confirming my account i went over to compose an email and please not that to reproduce this bug one must have two things which are below.
- firefox
- Live Http Headers Plugin ( FireFox plugin )
Now open Live HTTP Headers , and it will start capturing . After just click send to send the email and in live http headers there will be the captured API and other things in Live Http headers so find the email in Live http headers and click on it and click replay and after there will be the API and url text so we will do further editing in it and if we succeed it will be API Injection.
We will remove 2 things one is personality ID and other is draft ID numbers and leaving it blank.
Now we will edit email of the sender which is our email where ever it is , in my case it is 2 times in the API so i will replace the sender email with the email which i want to spoof. such as admin@fastmail.com with both of them so it would be looking like this.
And here i am , successfully bypassed and exploited the API of FastMail and sent an email from admin@fastmail.com
Now mr.rob thinks this is not a vulnerability and is not an issue for them ! , i hope if anyone who is from fastmail and is reading my article will consider on it and will remove such corruption from the company.
Regards :-
Ahmed Mehtab
ahmedmehtab009@gmail.com
Posting Komentar