Important: Security Vulnerability - Email Spoofing
ANOOPAM MISHRA
f2016032 at pilani.bits-pilani.ac.in
Fri Jul 7 11:56:33 EDT 2017
Hi!
I just noticed this security vulnerability.
An email can be spoofed from security at pidgin.im.
Here are the steps for the same:
1) Go to http://emkei.cz/
<https://mailtrack.io/trace/link/41ceeb57a5ef8a90b53483a7253acee607ceccb5?url=http%3A%2F%2Femkei.cz%2F&userId=1084081&signature=88d4023908b7f0ef>
2) Fill the "From-email" field as security at pidgin.im (or any other @
pidgin.im email id)
3) Fill the other details like the victim's email id
You will then receive the email from security at pidgin.im.
You will receive it directly in yahoomail but you might receive it in spam
folder in gmail. There is some configuration missing in the mail servers as
other domains like @facebook.com
<https://mailtrack.io/trace/link/abf3e2060ff6f659cf39d8a6897bce1dabbdf263?url=http%3A%2F%2Ffacebook.com%2F&userId=1084081&signature=2da10e6124333128>
don't
allow this.
This can be very dangerous as anyone can send a phishing link (or any other
mail which can trick people into believing that Pidgin has sent this mail)
and it can lead to a huge reputation loss. This could be a very serious
issue.
I have attached a screenshot as the proof.
Regards,
Anoopam Mishra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170707/dcea6fad/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot (634).png
Type: image/png
Size: 355559 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170707/dcea6fad/attachment-0001.png>
More information about the security
mailing list