A Danish ethical hacker was able to work his way uninvited into a closed Cloudflare beta and found a vulnerability that could have been exploited by a cybercriminal to hijack and steal someone else's email.
Student Albert Pedersen reported the critical vulnerability to Cloudflare via the company's bug bounty program, and was awarded $3,000. He said in a write-up on Wednesday he alerted the internet giant soon after he spotted the vulnerability on December 7. According to a timeline on HackerOne, which manages the bounty program, Cloudflare fixed the flaw within a few days. However, it wasn't until July 28 that the vuln was publicly disclosed, allowing Pedersen to publish his blog post this month.
Cloudflare, which mainly carries out content distribution duties and provides security protection for websites, announced its Email Routing service in September 2021, initially making it available as a private beta program. The service, which in February went into open beta, allows customers to create and manage custom email addresses for their domains and have them redirect their mail to specific addresses.
The first challenge for Pedersen was slipping into this private beta.
"Cloudflare Email Routing was in closed beta back when I discovered this vulnerability, with only a few domains having been granted access," Pedersen wrote. "Sadly, I was not invited to the party, so I was simply going to have to crash it instead."
He got into program by manipulating the data sent from Cloudflare's backend servers to the Cloudflare dashboard open in his browser. He wrote that he used the Burp suite running on his computer "to intercept the response and replace 'beta': ..
Support the originator by clicking the read the rest link below.
