Vulnerability Name: DMARC Record Missing (Email Spoofing).

Mon Sep 9 03:02:59 EDT 2019

Hello Sir,

I am a Ethical Hacker and I Found a Vulnerability in Pidgin Domain.

VRT: Server Security Misconfiguration - Email Spoofing to Inbox due to
Missing or Misconfigured DMARC on Email Domain.

BUG URL: security at pidgin.im

DESCRIPTION:-

How to Reproduce the Issue :

1. Go to https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/ and Check
for DMARC records of "pidgin.im"

2. Now Go to https://emkei.cz/

-Fill all the Details
-Like :

-Name - Pidgin
-Email From - security at pidgin.im
-Email To - Your Email Address

 etc

-Send Email

3. It will Directly send a Mail from security at pidgin.im to You.

IMPACT:-
Attacker can do Email Spoofing & along with this the Attacker can easily
take Important Information or Data from Victim using your Website Name and
here the Victim can be easily Tricked by Attacker as the DMARC record is
Missing at your main Domain.

PoC Screenshots are Attached.

Thank You!

With Regards:
-Virendra Yadav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.pidgin.im/private/security/attachments/20190909/5d7e0a7c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pidgin1000.png
Type: image/png
Size: 98580 bytes
Desc: not available
URL: <https://lists.pidgin.im/private/security/attachments/20190909/5d7e0a7c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pidgin1002.png
Type: image/png
Size: 88971 bytes
Desc: not available
URL: <https://lists.pidgin.im/private/security/attachments/20190909/5d7e0a7c/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pidgin1001.png
Type: image/png
Size: 66674 bytes
Desc: not available
URL: <https://lists.pidgin.im/private/security/attachments/20190909/5d7e0a7c/attachment-0005.png>