Last year, IT firm Cloudflare launched an email routing service, giving users the ability to set up a large number of addresses connected to the same inbox. Email routing can be a powerful privacy tool, as it allows you to hide your actual email address behind a network of temporary or “burnable” addresses. Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails.
Albert Pedersen, who is currently a student at Skive College in Midtjylland, wrote that he discovered the invasive vulnerability back in December. In a write-up published to his website, Pedersen explained that the bug would have allowed a hacker to “modify the routing configuration of any domain using the service.”
“I’m curious and like to prod at things to see if they break. I want to help keep the internet safe,” Pedersen told Gizmodo in a direct message. “I’ve always had an interest for everything computers and IT. I found and reported my first bug back in April of last year, and I’ve spent a lot of time bug hunting since then.”
The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s “zone ownership verification” system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all.
In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anyone using the forwarding service.
After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program. The program ultimately awarded him a total of $6,000 for his efforts. Pedersen also says his blog was published with permission from Cloudflare.
In an email to Gizmodo, a company representative reiterated that the bug was fixed immediately after discovery: “As summarized in the researcher’s blog, this vulnerability was disclosed through our bug bounty program. We then resolved the issue and verified that the vulnerability had not been exploited.”
It’s a good thing that it wasn’t, because if a hacker had gotten hold of this exploit they could’ve caused some real inbox havoc. In his write-up, Pederson notes that a cybercriminal could have used this bug to reset passwords, which would have threatened other accounts linked to the exploited email address:
“Not only is this a huge privacy issue, but due to the fact that password reset links are often sent to the email address of the user, a bad actor could also potentially gain control of any accounts linked to that email address. This is a good example of why you should be using 2-factor authentication,” he wrote.
Truth! Use 2-factor authentication! It just goes to show: we need as many nerds watching the internet as possible because you never know when something that sounds great is actually a giant security catastrophe waiting to happen.