Re: [sysreq #18068] Re: Vulnerability Report: (Email Spoofing)

Please see our previous response, sent on Dec 4 (copied below)

Please send any followup messages only to sysreq@w3.org

Thanks

----- Forwarded message from Gerald Oskoboiny <gerald@w3.org> -----

Date: Wed, 4 Dec 2024 09:28:53 -0800
From: Gerald Oskoboiny <gerald@w3.org>
To: Jed Rip via RT <sysreq@w3.org>
Subject: Re: [sysreq #18068] Re: Vulnerability Report: (Email Spoofing)

Hi,

We do have DMARC and SPF records for our domain, as well as
several custom forgery prevention mechanisms. We are in the
process of updating our DMARC policy.

For more info see https://www.w3.org/policies/email/#forgeries

For more info on our bug bounty program see
https://www.openbugbounty.org/bugbounty/w3c_systeam/


* Jed Rip via RT <sysreq@w3.org> [2024-12-16 12:21+0000]
><https://www.w3.org/Help/Requests/Ticket/Display.html?id=18068>
> Requestors: jed.rip.protector@gmail.com
>        CCs: contact@w3.org, invoicing@w3.org, membership@w3.org, public-website-redesign@w3.org, team-liaisons@w3.org, w3t-pr@w3.org
>   AdminCCs:
>
>Hi Dear,
>
>I hope this email finds you well. I'm following up on the vulnerability
>report I submitted for your website, which was sent weeks ago.
>
>As a friendly reminder, I'd appreciate it if you could provide an update on
>the reward for my services. Your acknowledgement and compensation will not
>only encourage me but also motivate me to continue providing top-notch
>security research.
>
>Please take a moment to review my report and let me know your thoughts on
>the reward. I'm eager to hear back from you and appreciate your time.
>
>Thank you for your attention to this matter.
>
>Best regards,
>
>On Sun, Oct 6, 2024 at 7:20 AM Jed Rip <jed.rip.protector@gmail.com> wrote:
>
>> Hello Team,
>>
>>
>> I am a security researcher and I provide information and knowledge
>> regarding “Vulnerability" on websites. I have found some vulnerabilities on
>> your website/domain.
>>
>> *DESCRIPTION:*
>>
>>
>> I just sent a forged email to my email address that appears to originate
>> from membership@w3.org I was able to do this because of the following:
>>
>> DMARC record lookup and validation for w3.org
>>
>>  “No DMARC Record found”
>> And/ OR
>> "DMARC Quarantine/Reject policy not enabled"
>>
>>
>> *Fix:*1) Publish DMARC Record.  (If not already Published)
>> 2)Enable DMARC Quarantine/Reject policy
>> 3)Your DMARC record should look like
>> "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:
>> info@domain.com"
>>
>> *And*
>>
>> As I have seen the SPF and TXT record for the  w3.org  which is :
>>
>>
>> Found v=spf1 record for w3.org:
>> v=spf1 include:_spf.google.com ~all
>>
>>
>> so valid record will look like :
>>
>>
>> Found v=spf1 record for w3.org:
>>
>> v=spf1 include:_spf.google.com -all
>>
>>
>>
>>
>> *What's the issue :*
>> What’s the issue: as u can see in the article difference between softfail
>> and hardfail you should be using fail as Hardfail as it doesn’t allow
>> anyone to send spoofed emails from your domains, In current SPF record you
>> should replace (?) or
>>
>> (~) with (-) at last before all , - is strict which prevents all spoofed
>> emails except if you are sending
>>
>> You can validate by testing yourself over here: mxtoolbox.com
>>
>> This is useful in phishing, and this type of vulnerability is newsworthy (
>> http://bits.blogs.nytimes.com/2015/04/09/sendgrid-email-breach-was-used-to-attack-coinbase-a-bitcoin-exchange/
>>
>>
>> https://medium.com/@hotbit/official-statement-notices-of-counterfeit-email-listing-hotbit-io-d1d240005d35
>>
>> This can be done using any php mailer tool like this ,
>>
>> <?php
>> $to = "VICTIM@example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From:  membership@w3.org";
>> mail($to,$subject,$txt,$headers);
>> ?>
>>
>> *IMPACT:*
>> Due to this vulnerability, any hacker can send a forged email to your
>> customers using your domain .Thus, getting sensitive information of your
>> customers like login details, downloading a virus/malware etc.
>>
>> Also When an attacker sends an email to your customers asking them to
>> change their password. The customer, after seeing the mail, might consider
>> the mail as legit and falls for the trap.
>>
>> In doing this the attacker can take them to his website where certain
>> JavaScript is executed which steals the customer's session id and password.
>>
>> The results can be more dangerous and impactful.
>>
>> A study shows why DMARC and SPF are crucial:
>>
>>  1) $1.6 million on average is what one single spear phishing attack costs
>> for organizations
>>  2) $500 million every year is scammed by phishing attacks
>>  3) Just 3% of all users will report phishing emails to their management
>>  4) More than 400 businesses are targeted by BEC scams every day
>>  5) 76% of organizations have reported that they have been victims of a
>> phishing attack.
>>  6) 1 in 3 companies have been victims of CEO fraud emails
>>  7) 70% of all global emails is malicious
>>  8) Fake invoice messages are the #1 type of phishing lure
>>
>> You can find the SPF fix over here :
>> https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
>>
>>
>> For DMARC record :   https://easydmarc.com/blog/how-to-fix-no-
>> dmarc-record-found/
>>
>> and DMARC policy here:  https://support.rackspace.com/how-to/create-a-
>> dmarc-policy/
>>
>> Let me know if you need me to send a forged email.
>>
>> *Note:* Eagerly awaiting your approval for the bounty reward tied to my
>> recent security contribution. Let's continue the journey together and
>> will be reporting other vulnerabilities accordingly.
>>
>>
>> Stay Safe & Healthy.
>>
>> Jed Rip
>>
>> *Snapshots:*
>> [image: image.png]
>> [image: image.png]
>>
>




-- 
Gerald Oskoboiny <gerald@w3.org>
http://www.w3.org/People/Gerald/
tel:+1-604-906-1232 (mobile)

Received on Monday, 16 December 2024 18:58:56 UTC